From 396fc7d1641b37329eab9ccaa83608613f6c2f1e Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 9 Jan 2025 03:04:19 -0800 Subject: [PATCH 01/20] Default to raw api --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/inputs/input-winlog.asciidoc | 60 +- winlogbeat/docs/winlogbeat-options.asciidoc | 21 +- winlogbeat/eventlog/bench_test.go | 22 +- winlogbeat/eventlog/cache.go | 164 ----- winlogbeat/eventlog/config.go | 136 ++++ winlogbeat/eventlog/eventlog.go | 2 - winlogbeat/eventlog/factory.go | 130 ---- winlogbeat/eventlog/factory_other.go | 31 + winlogbeat/eventlog/factory_windows.go | 33 + winlogbeat/eventlog/metrics.go | 151 +++++ winlogbeat/eventlog/wineventlog.go | 711 +++++--------------- winlogbeat/eventlog/wineventlog_raw.go | 390 ----------- winlogbeat/eventlog/wineventlog_test.go | 113 ++-- 14 files changed, 576 insertions(+), 1389 deletions(-) delete mode 100644 winlogbeat/eventlog/cache.go create mode 100644 winlogbeat/eventlog/config.go delete mode 100644 winlogbeat/eventlog/factory.go create mode 100644 winlogbeat/eventlog/factory_other.go create mode 100644 winlogbeat/eventlog/factory_windows.go create mode 100644 winlogbeat/eventlog/metrics.go delete mode 100644 winlogbeat/eventlog/wineventlog_raw.go diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 33feb91cff20..646fa05673d8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -90,6 +90,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] *Winlogbeat* - Add "event.category" and "event.type" to Sysmon module for EventIDs 8, 9, 19, 20, 27, 28, 255 {pull}35193[35193] +- Default to use raw api and delete older xml implementation. {pull}42275[42275] *Functionbeat* diff --git a/filebeat/docs/inputs/input-winlog.asciidoc b/filebeat/docs/inputs/input-winlog.asciidoc index 6d58c7d8df8d..fb624dc3af58 100644 --- a/filebeat/docs/inputs/input-winlog.asciidoc +++ b/filebeat/docs/inputs/input-winlog.asciidoc @@ -181,40 +181,6 @@ IDs to include (e.g. 4700-4800), and single event IDs to exclude (e.g. -4735). event_id: 4624, 4625, 4700-4800, -4735 -------------------------------------------------------------------------------- -[WARNING] -======================================= -If you specify more than 22 query conditions (event IDs or event ID ranges), some -versions of Windows will prevent {beatname_uc} from reading the event log due to -limits in the query system. If this occurs a similar warning as shown below will -be logged by {beatname_uc}, and it will continue processing data from other event -logs. - -`WARN EventLog[Application] Open() error. No events will be read from this -source. The specified query is invalid.` - -In some cases, the limit may be lower than 22 conditions. For instance, using a -mixture of ranges and single event IDs, along with an additional parameter such -as `ignore older`, results in a limit of 21 conditions. - -If you have more than 22 conditions, you can workaround this Windows limitation -by using a drop_event[drop-event] processor to do the filtering after -{beatname_uc} has received the events from Windows. The filter shown below is -equivalent to `event_id: 903, 1024, 4624` but can be expanded beyond 22 -event IDs. - -[source,yaml] --------------------------------------------------------------------------------- -- type: winlog - name: Security - processors: - - drop_event.when.not.or: - - equals.winlog.event_id: 903 - - equals.winlog.event_id: 1024 - - equals.winlog.event_id: 4624 --------------------------------------------------------------------------------- - -======================================= - [float] ==== `language` @@ -350,6 +316,9 @@ Example: include_xml: true -------------------------------------------------------------------------------- +* This can have a significant impact on performance that can vary depending +on your system specs. + [float] ==== `tags` @@ -434,26 +403,3 @@ stopped. *{vista_and_newer}* Setting `no_more_events` to `stop` is useful when reading from archived event log files where you want to read the whole file then exit. - -[float] -==== `api` - -This selects the event log reader implementation that is used to read events -from the Windows APIs. You should only set this option when testing experimental -features. When the value is set to `wineventlog-experimental` {beatname_uc} will -replace the default event log reader with the **experimental** implementation. -We are evaluating this implementation to see if it can provide increased -performance and reduce CPU usage. *{vista_and_newer}* - -[source,yaml] --------------------------------------------------------------------------------- -- type: winlog - name: ForwardedEvents - api: wineventlog-experimental --------------------------------------------------------------------------------- - -There are a few notable differences in the events: - -* Events that contained data under `winlog.user_data` will now have it under - `winlog.event_data`. -* Setting `include_xml: true` has no effect. diff --git a/winlogbeat/docs/winlogbeat-options.asciidoc b/winlogbeat/docs/winlogbeat-options.asciidoc index 80804e25b2c5..57239aa72d33 100644 --- a/winlogbeat/docs/winlogbeat-options.asciidoc +++ b/winlogbeat/docs/winlogbeat-options.asciidoc @@ -376,6 +376,9 @@ winlogbeat.event_logs: include_xml: true -------------------------------------------------------------------------------- +* This can have a significant impact on performance that can vary depending +on your system specs. + [float] ==== `event_logs.tags` @@ -462,24 +465,6 @@ Setting `no_more_events` to `stop` is useful when reading from archived event log files where you want to read the whole file then exit. There's a complete example of how to read from an `.evtx` file in the <>. -[float] -==== `event_logs.api` - -This selects the event log reader implementation that is used to read events -from the Windows APIs. When the value is set to `wineventlog-raw` Winlogbeat will -replace the default XML event log reader with a more performant implementation. -*{vista_and_newer}* - -[source,yaml] --------------------------------------------------------------------------------- -winlogbeat.event_logs: - - name: ForwardedEvents - api: wineventlog-raw --------------------------------------------------------------------------------- - -* If `include_xml` is `true` the performance will be the same as the default API, -as performance improvements are lost when parsing the XML. - [float] ==== `overwrite_pipelines` diff --git a/winlogbeat/eventlog/bench_test.go b/winlogbeat/eventlog/bench_test.go index 97946a509b3f..91b40a89f445 100644 --- a/winlogbeat/eventlog/bench_test.go +++ b/winlogbeat/eventlog/bench_test.go @@ -58,21 +58,17 @@ func TestBenchmarkRead(t *testing.T) { safeWriteEvent(t, writer, uint32(rand.Int63()%1000), strconv.Itoa(i)+" "+randomSentence(256)) } - for _, api := range []string{winEventLogAPIName, winEventLogExpAPIName} { - t.Run("api="+api, func(t *testing.T) { - for _, includexml := range []bool{true, false} { - for _, batchSize := range []int{10, 100, 500, 1000} { - t.Run(fmt.Sprintf("include_xml=%v/batch_size=%d", includexml, batchSize), func(t *testing.T) { - result := testing.Benchmark(benchmarkEventLog(api, includexml, batchSize)) - outputBenchmarkResults(t, result) - }) - } - } - }) + for _, includexml := range []bool{true, false} { + for _, batchSize := range []int{10, 100, 500, 1000} { + t.Run(fmt.Sprintf("include_xml=%v/batch_size=%d", includexml, batchSize), func(t *testing.T) { + result := testing.Benchmark(benchmarkEventLog(includexml, batchSize)) + outputBenchmarkResults(t, result) + }) + } } } -func benchmarkEventLog(api string, includexml bool, batchSize int) func(b *testing.B) { +func benchmarkEventLog(includexml bool, batchSize int) func(b *testing.B) { return func(b *testing.B) { conf := mapstr.M{ "name": providerName, @@ -81,7 +77,7 @@ func benchmarkEventLog(api string, includexml bool, batchSize int) func(b *testi "include_xml": includexml, } - log := openLog(b, api, nil, conf) + log := openLog(b, nil, conf) defer log.Close() events := 0 diff --git a/winlogbeat/eventlog/cache.go b/winlogbeat/eventlog/cache.go deleted file mode 100644 index 985c28f433c0..000000000000 --- a/winlogbeat/eventlog/cache.go +++ /dev/null @@ -1,164 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -//go:build windows - -package eventlog - -// This component of the eventlog package provides a cache for storing Handles -// to event message files. - -import ( - "expvar" - "time" - - "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/winlogbeat/sys" - win "github.com/elastic/beats/v7/winlogbeat/sys/wineventlog" - "github.com/elastic/elastic-agent-libs/logp" -) - -// Stats for the message file caches. -var ( - cacheStats = expvar.NewMap("msg_file_cache") -) - -// Constants that control the cache behavior. -const ( - expirationTimeout time.Duration = 2 * time.Minute - janitorInterval time.Duration = 30 * time.Second - initialSize int = 10 -) - -// Function type for loading event message files associated with the given -// event log and source name. -type messageFileLoaderFunc func(eventLogName, sourceName string) sys.MessageFiles - -// Function type for freeing Handles. -type freeHandleFunc func(handle uintptr) error - -// handleCache provides a synchronized cache that holds MessageFiles. -type messageFilesCache struct { - cache *common.Cache - loader messageFileLoaderFunc - freer freeHandleFunc - eventLogName string - - // Cache metrics. - hit func() // Increments number of cache hits. - miss func() // Increments number of cache misses. - size func() // Sets the current cache size. -} - -// newHandleCache creates and returns a new handleCache that has been -// initialized (including starting a periodic janitor goroutine to purge -// expired Handles). -func newMessageFilesCache(eventLogName string, loader messageFileLoaderFunc, - freer freeHandleFunc, -) *messageFilesCache { - size := &expvar.Int{} - cacheStats.Set(eventLogName+"Size", size) - - hc := &messageFilesCache{ - loader: loader, - freer: freer, - eventLogName: eventLogName, - hit: func() { cacheStats.Add(eventLogName+"Hits", 1) }, - miss: func() { cacheStats.Add(eventLogName+"Misses", 1) }, - } - hc.cache = common.NewCacheWithRemovalListener(expirationTimeout, - initialSize, hc.evictionHandler) - hc.cache.StartJanitor(janitorInterval) - hc.size = func() { - s := hc.cache.Size() - size.Set(int64(s)) - debugf("messageFilesCache[%s] size=%d", hc.eventLogName, s) - } - return hc -} - -// get returns a cached MessageFiles for the given sourceName. -// If no item is cached, then one is loaded, stored, and returned. -// Callers should check the MessageFiles.Err value to see if an error occurred -// while loading the message files. -func (hc *messageFilesCache) get(sourceName string) win.EvtHandle { - v := hc.cache.Get(sourceName) - if v == nil { - hc.miss() - - // Handle to event message file for sourceName is not cached. Attempt - // to load the Handles into the cache. - v = hc.loader(hc.eventLogName, sourceName) - - // Store the newly loaded value. Since this code does not lock we must - // check if a value was already loaded. - existing := hc.cache.PutIfAbsent(sourceName, v) - if existing != nil { - // A value was already loaded, so free the handles we just created. - messageFiles, _ := v.(sys.MessageFiles) - hc.freeHandles(messageFiles) - - // Return the existing cached value. - messageFiles, _ = existing.(sys.MessageFiles) - - if messageFiles.Err == nil { - // There is only ever a single handle when using the Windows Event - // Log API. - return win.EvtHandle(messageFiles.Handles[0].Handle) - } - } - hc.size() - } else { - hc.hit() - } - - messageFiles, _ := v.(sys.MessageFiles) - if messageFiles.Err == nil { - // There is only ever a single handle when using the Windows Event - // Log API. - return win.EvtHandle(messageFiles.Handles[0].Handle) - } - return win.NilHandle -} - -// evictionHandler is the callback handler that receives notifications when -// a key-value pair is evicted from the messageFilesCache. -func (hc *messageFilesCache) evictionHandler(k common.Key, v common.Value) { - // Update the size on a different goroutine after the callback completes. - defer func() { go hc.size() }() - - messageFiles, ok := v.(sys.MessageFiles) - if !ok { - return - } - - debugf("messageFilesCache[%s] Evicting messageFiles %+v for sourceName %v.", - hc.eventLogName, messageFiles, k) - hc.freeHandles(messageFiles) -} - -// freeHandles free the event message file Handles so that the modules can -// be unloaded. The Handles are no longer valid after being freed. -func (hc *messageFilesCache) freeHandles(mf sys.MessageFiles) { - for _, fh := range mf.Handles { - err := hc.freer(fh.Handle) - if err != nil { - logp.Warn("messageFilesCache[%s] FreeLibrary error for handle %v", - hc.eventLogName, fh.Handle) - } - } -} diff --git a/winlogbeat/eventlog/config.go b/winlogbeat/eventlog/config.go new file mode 100644 index 000000000000..a4809d51378b --- /dev/null +++ b/winlogbeat/eventlog/config.go @@ -0,0 +1,136 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build windows + +package eventlog + +import ( + "encoding/xml" + "fmt" + "strings" + "time" + + "github.com/joeshaw/multierror" + + conf "github.com/elastic/elastic-agent-libs/config" +) + +type validator interface { + Validate() error +} + +func readConfig(c *conf.C, config interface{}) error { + if err := c.Unpack(config); err != nil { + return fmt.Errorf("failed unpacking config. %v", err) + } + + if v, ok := config.(validator); ok { + if err := v.Validate(); err != nil { + return err + } + } + + return nil +} + +type config struct { + Renderer string `config:"renderer"` // Name of the renderer to use. Optional. + Name string `config:"name"` // Name of the event log or channel or file. + ID string `config:"id"` // Identifier for the event log. + XMLQuery string `config:"xml_query"` // Custom query XML. Must not be used with the keys from eventlog.query. + BatchReadSize int `config:"batch_read_size"` // Maximum number of events that Read will return. + IncludeXML bool `config:"include_xml"` + Forwarded *bool `config:"forwarded"` + SimpleQuery query `config:",inline"` + NoMoreEvents NoMoreEventsAction `config:"no_more_events"` // Action to take when no more events are available - wait or stop. + EventLanguage uint32 `config:"language"` +} + +// query contains parameters used to customize the event log data that is +// queried from the log. +type query struct { + IgnoreOlder time.Duration `config:"ignore_older"` // Ignore records older than this period of time. + EventID string `config:"event_id"` // White-list and black-list of events. + Level string `config:"level"` // Severity level. + Provider []string `config:"provider"` // Provider (source name). +} + +// NoMoreEventsAction defines what action for the reader to take when +// ERROR_NO_MORE_ITEMS is returned by the Windows API. +type NoMoreEventsAction uint8 + +const ( + // Wait for new events. + Wait NoMoreEventsAction = iota + // Stop the reader. + Stop +) + +var noMoreEventsActionNames = map[NoMoreEventsAction]string{ + Wait: "wait", + Stop: "stop", +} + +// Unpack sets the action based on the string value. +func (a *NoMoreEventsAction) Unpack(v string) error { + v = strings.ToLower(v) + for action, name := range noMoreEventsActionNames { + if v == name { + *a = action + return nil + } + } + return fmt.Errorf("invalid no_more_events action: %v", v) +} + +// String returns the name of the action. +func (a NoMoreEventsAction) String() string { return noMoreEventsActionNames[a] } + +// Validate validates the winEventLogConfig data and returns an error describing +// any problems or nil. +func (c *config) Validate() error { + var errs multierror.Errors + + if c.XMLQuery != "" { + if c.ID == "" { + errs = append(errs, fmt.Errorf("event log is missing an 'id'")) + } + + // Check for XML syntax errors. This does not check the validity of the query itself. + if err := xml.Unmarshal([]byte(c.XMLQuery), &struct{}{}); err != nil { + errs = append(errs, fmt.Errorf("invalid xml_query: %w", err)) + } + + switch { + case c.Name != "": + errs = append(errs, fmt.Errorf("xml_query cannot be used with 'name'")) + case c.SimpleQuery.IgnoreOlder != 0: + errs = append(errs, fmt.Errorf("xml_query cannot be used with 'ignore_older'")) + case c.SimpleQuery.Level != "": + errs = append(errs, fmt.Errorf("xml_query cannot be used with 'level'")) + case c.SimpleQuery.EventID != "": + errs = append(errs, fmt.Errorf("xml_query cannot be used with 'event_id'")) + case len(c.SimpleQuery.Provider) != 0: + errs = append(errs, fmt.Errorf("xml_query cannot be used with 'provider'")) + } + } else if c.Name == "" { + errs = append(errs, fmt.Errorf("event log is missing a 'name'")) + } + + return errs.Err() +} diff --git a/winlogbeat/eventlog/eventlog.go b/winlogbeat/eventlog/eventlog.go index 0a06bf13ce97..555b071d6590 100644 --- a/winlogbeat/eventlog/eventlog.go +++ b/winlogbeat/eventlog/eventlog.go @@ -70,7 +70,6 @@ type EventLog interface { type Record struct { winevent.Event File string // Source file when event is from a file. - API string // The event log API type used to read the record. XML string // XML representation of the event. Offset checkpoint.EventLogState // Position of the record within its source stream. } @@ -80,7 +79,6 @@ func (e Record) ToEvent() beat.Event { win := e.Fields() _ = win.Delete("time_created") - _, _ = win.Put("api", e.API) m := mapstr.M{ "winlog": win, diff --git a/winlogbeat/eventlog/factory.go b/winlogbeat/eventlog/factory.go deleted file mode 100644 index 851615bc80c7..000000000000 --- a/winlogbeat/eventlog/factory.go +++ /dev/null @@ -1,130 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -package eventlog - -import ( - "errors" - "fmt" - "sort" - "strings" - - conf "github.com/elastic/elastic-agent-libs/config" -) - -// ConfigCommon is the common configuration data used to instantiate a new -// EventLog. Each implementation is free to support additional configuration -// options. -type ConfigCommon struct { - API string `config:"api"` // Name of the API to use. Optional. - Name string `config:"name"` // Name of the event log or channel or file. - ID string `config:"id"` // Identifier for the event log. - XMLQuery string `config:"xml_query"` // Custom query XML. Must not be used with the keys from eventlog.query. -} - -type validator interface { - Validate() error -} - -func readConfig(c *conf.C, config interface{}) error { - if err := c.Unpack(config); err != nil { - return fmt.Errorf("failed unpacking config. %v", err) - } - - if v, ok := config.(validator); ok { - if err := v.Validate(); err != nil { - return err - } - } - - return nil -} - -// Producer produces a new event log instance for reading event log records. -type producer func(*conf.C) (EventLog, error) - -// Channels lists the available channels (event logs). -type channels func() ([]string, error) - -// eventLogInfo is the registration info associated with an event log API. -type eventLogInfo struct { - apiName string - priority int - producer producer - channels func() ([]string, error) -} - -// eventLogs is a map of priorities to eventLogInfo. The lower numbers have -// higher priorities. -var eventLogs = make(map[int]eventLogInfo) - -// Register registers an EventLog API. Only the APIs that are available for the -// runtime OS should be registered. Each API must have a unique priority. -func Register(apiName string, priority int, producer producer, channels channels) { - info, exists := eventLogs[priority] - if exists { - panic(fmt.Sprintf("%s API is already registered with priority %d. "+ - "Cannot register %s", info.apiName, info.priority, apiName)) - } - - eventLogs[priority] = eventLogInfo{ - apiName: apiName, - priority: priority, - producer: producer, - channels: channels, - } -} - -// New creates and returns a new EventLog instance based on the given config -// and the registered EventLog producers. -func New(options *conf.C) (EventLog, error) { - if len(eventLogs) == 0 { - return nil, errors.New("No event log API is available on this system") - } - - var config ConfigCommon - if err := readConfig(options, &config); err != nil { - return nil, err - } - - // A specific API is being requested (usually done for testing). - if config.API != "" { - for _, v := range eventLogs { - debugf("Checking %s", v.apiName) - if strings.EqualFold(v.apiName, config.API) { - debugf("Using %s API for event log %s", v.apiName, config.Name) - e, err := v.producer(options) - return e, err - } - } - - return nil, fmt.Errorf("%s API is not available", config.API) - } - - // Use the API with the highest priority. - keys := make([]int, 0, len(eventLogs)) - for key := range eventLogs { - keys = append(keys, key) - } - sort.Ints(keys) - - eventLog := eventLogs[keys[0]] - debugf("Using highest priority API, %s, for event log %s", - eventLog.apiName, config.Name) - e, err := eventLog.producer(options) - return e, err -} diff --git a/winlogbeat/eventlog/factory_other.go b/winlogbeat/eventlog/factory_other.go new file mode 100644 index 000000000000..83052154507a --- /dev/null +++ b/winlogbeat/eventlog/factory_other.go @@ -0,0 +1,31 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build !windows + +package eventlog + +import ( + "errors" + + conf "github.com/elastic/elastic-agent-libs/config" +) + +// New creates and returns a new EventLog instance based on the given config. +func New(options *conf.C) (EventLog, error) { + return nil, errors.New("only supported on windows platform") +} diff --git a/winlogbeat/eventlog/factory_windows.go b/winlogbeat/eventlog/factory_windows.go new file mode 100644 index 000000000000..aeac75422934 --- /dev/null +++ b/winlogbeat/eventlog/factory_windows.go @@ -0,0 +1,33 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build windows + +package eventlog + +import ( + conf "github.com/elastic/elastic-agent-libs/config" +) + +// New creates and returns a new EventLog instance based on the given config. +func New(options *conf.C) (EventLog, error) { + var config config + if err := readConfig(options, &config); err != nil { + return nil, err + } + return newWinEventLog(options) +} diff --git a/winlogbeat/eventlog/metrics.go b/winlogbeat/eventlog/metrics.go new file mode 100644 index 000000000000..45c1d1edf126 --- /dev/null +++ b/winlogbeat/eventlog/metrics.go @@ -0,0 +1,151 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build windows + +package eventlog + +import ( + "expvar" + "strconv" + "syscall" + "time" + + "github.com/rcrowley/go-metrics" + + "github.com/elastic/beats/v7/libbeat/monitoring/inputmon" + "github.com/elastic/elastic-agent-libs/monitoring" + "github.com/elastic/elastic-agent-libs/monitoring/adapter" +) + +var ( + // dropReasons contains counters for the number of dropped events for each + // reason. + dropReasons = expvar.NewMap("drop_reasons") + + // readErrors contains counters for the read error types that occur. + readErrors = expvar.NewMap("read_errors") +) + +// incrementMetric increments a value in the specified expvar.Map. The key +// should be a windows syscall.Errno or a string. Any other types will be +// reported under the "other" key. +func incrementMetric(v *expvar.Map, key interface{}) { + switch t := key.(type) { + default: + v.Add("other", 1) + case string: + v.Add(t, 1) + case syscall.Errno: + v.Add(strconv.Itoa(int(t)), 1) + } +} + +// inputMetrics handles event log metric reporting. +type inputMetrics struct { + unregister func() + + lastBatch time.Time + + name *monitoring.String // name of the provider being read + events *monitoring.Uint // total number of events received + dropped *monitoring.Uint // total number of discarded events + errors *monitoring.Uint // total number of errors + batchSize metrics.Sample // histogram of the number of events in each non-zero batch + sourceLag metrics.Sample // histogram of the difference between timestamped event's creation and reading + batchPeriod metrics.Sample // histogram of the elapsed time between non-zero batch reads +} + +// newInputMetrics returns an input metric for windows event logs. If id is empty +// a nil inputMetric is returned. +func newInputMetrics(name, id string) *inputMetrics { + if id == "" { + return nil + } + reg, unreg := inputmon.NewInputRegistry("winlog", id, nil) + out := &inputMetrics{ + unregister: unreg, + name: monitoring.NewString(reg, "provider"), + events: monitoring.NewUint(reg, "received_events_total"), + dropped: monitoring.NewUint(reg, "discarded_events_total"), + errors: monitoring.NewUint(reg, "errors_total"), + batchSize: metrics.NewUniformSample(1024), + sourceLag: metrics.NewUniformSample(1024), + batchPeriod: metrics.NewUniformSample(1024), + } + out.name.Set(name) + _ = adapter.NewGoMetrics(reg, "received_events_count", adapter.Accept). + Register("histogram", metrics.NewHistogram(out.batchSize)) + _ = adapter.NewGoMetrics(reg, "source_lag_time", adapter.Accept). + Register("histogram", metrics.NewHistogram(out.sourceLag)) + _ = adapter.NewGoMetrics(reg, "batch_read_period", adapter.Accept). + Register("histogram", metrics.NewHistogram(out.batchPeriod)) + + return out +} + +// log logs metric for the given batch. +func (m *inputMetrics) log(batch []Record) { + if m == nil { + return + } + if len(batch) == 0 { + return + } + + now := time.Now() + if !m.lastBatch.IsZero() { + m.batchPeriod.Update(now.Sub(m.lastBatch).Nanoseconds()) + } + m.lastBatch = now + + m.events.Add(uint64(len(batch))) + m.batchSize.Update(int64(len(batch))) + for _, r := range batch { + m.sourceLag.Update(now.Sub(r.TimeCreated.SystemTime).Nanoseconds()) + } +} + +// logError logs error metrics. Nil errors do not increment the error +// count but the err value is currently otherwise not used. It is included +// to allow easier extension of the metrics to include error stratification. +func (m *inputMetrics) logError(err error) { + if m == nil { + return + } + if err == nil { + return + } + m.errors.Inc() +} + +// logDropped logs dropped event metrics. Nil errors *do* increment the dropped +// count; the value is currently otherwise not used, but is included to allow +// easier extension of the metrics to include error stratification. +func (m *inputMetrics) logDropped(_ error) { + if m == nil { + return + } + m.dropped.Inc() +} + +func (m *inputMetrics) close() { + if m == nil { + return + } + m.unregister() +} diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go index 4fee3824122c..84e65aa95ab3 100644 --- a/winlogbeat/eventlog/wineventlog.go +++ b/winlogbeat/eventlog/wineventlog.go @@ -20,200 +20,48 @@ package eventlog import ( - "encoding/xml" - "errors" - "expvar" "fmt" "io" + "os" "path/filepath" - "strconv" - "strings" - "sync" - "syscall" - "time" - - "github.com/joeshaw/multierror" - "github.com/rcrowley/go-metrics" + + "go.uber.org/multierr" "golang.org/x/sys/windows" - "github.com/elastic/beats/v7/libbeat/common/cfgwarn" - "github.com/elastic/beats/v7/libbeat/monitoring/inputmon" "github.com/elastic/beats/v7/winlogbeat/checkpoint" - "github.com/elastic/beats/v7/winlogbeat/sys" - "github.com/elastic/beats/v7/winlogbeat/sys/winevent" win "github.com/elastic/beats/v7/winlogbeat/sys/wineventlog" conf "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/logp" - "github.com/elastic/elastic-agent-libs/monitoring" - "github.com/elastic/elastic-agent-libs/monitoring/adapter" -) - -var ( - detailSelector = "eventlog_detail" - detailf = logp.MakeDebug(detailSelector) - - // dropReasons contains counters for the number of dropped events for each - // reason. - dropReasons = expvar.NewMap("drop_reasons") - - // readErrors contains counters for the read error types that occur. - readErrors = expvar.NewMap("read_errors") ) -const ( - // renderBufferSize is the size in bytes of the buffer used to render events. - renderBufferSize = 1 << 19 // 512KB, 256K wide characters - // winEventLogApiName is the name used to identify the Windows Event Log API - // as both an event type and an API. - winEventLogAPIName = "wineventlog" - - // eventLoggingAPIName is the name used to identify the Event Logging API - // as both an event type and an API. - eventLoggingAPIName = "eventlogging" - - // metaTTL is the length of time a WinMeta value is valid in the cache. - metaTTL = time.Hour -) - -func init() { - // Register wineventlog API if it is available. - available, _ := win.IsAvailable() - if available { - Register(winEventLogAPIName, 0, newWinEventLog, win.Channels) - Register(eventLoggingAPIName, 1, newEventLogging, win.Channels) - } -} - -type winEventLogConfig struct { - ConfigCommon `config:",inline"` - BatchReadSize int `config:"batch_read_size"` // Maximum number of events that Read will return. - IncludeXML bool `config:"include_xml"` - Forwarded *bool `config:"forwarded"` - SimpleQuery query `config:",inline"` - NoMoreEvents NoMoreEventsAction `config:"no_more_events"` // Action to take when no more events are available - wait or stop. - EventLanguage uint32 `config:"language"` -} - -// query contains parameters used to customize the event log data that is -// queried from the log. -type query struct { - IgnoreOlder time.Duration `config:"ignore_older"` // Ignore records older than this period of time. - EventID string `config:"event_id"` // White-list and black-list of events. - Level string `config:"level"` // Severity level. - Provider []string `config:"provider"` // Provider (source name). -} - -// NoMoreEventsAction defines what action for the reader to take when -// ERROR_NO_MORE_ITEMS is returned by the Windows API. -type NoMoreEventsAction uint8 - -const ( - // Wait for new events. - Wait NoMoreEventsAction = iota - // Stop the reader. - Stop -) - -var noMoreEventsActionNames = map[NoMoreEventsAction]string{ - Wait: "wait", - Stop: "stop", -} - -// Unpack sets the action based on the string value. -func (a *NoMoreEventsAction) Unpack(v string) error { - v = strings.ToLower(v) - for action, name := range noMoreEventsActionNames { - if v == name { - *a = action - return nil - } - } - return fmt.Errorf("invalid no_more_events action: %v", v) -} - -// String returns the name of the action. -func (a NoMoreEventsAction) String() string { return noMoreEventsActionNames[a] } - -// defaultWinEventLogConfig is the default configuration for new wineventlog readers. -var defaultWinEventLogConfig = winEventLogConfig{ - BatchReadSize: 100, -} - -// Validate validates the winEventLogConfig data and returns an error describing -// any problems or nil. -func (c *winEventLogConfig) Validate() error { - var errs multierror.Errors - - if c.XMLQuery != "" { - if c.ID == "" { - errs = append(errs, fmt.Errorf("event log is missing an 'id'")) - } - - // Check for XML syntax errors. This does not check the validity of the query itself. - if err := xml.Unmarshal([]byte(c.XMLQuery), &struct{}{}); err != nil { - errs = append(errs, fmt.Errorf("invalid xml_query: %w", err)) - } - - switch { - case c.Name != "": - errs = append(errs, fmt.Errorf("xml_query cannot be used with 'name'")) - case c.SimpleQuery.IgnoreOlder != 0: - errs = append(errs, fmt.Errorf("xml_query cannot be used with 'ignore_older'")) - case c.SimpleQuery.Level != "": - errs = append(errs, fmt.Errorf("xml_query cannot be used with 'level'")) - case c.SimpleQuery.EventID != "": - errs = append(errs, fmt.Errorf("xml_query cannot be used with 'event_id'")) - case len(c.SimpleQuery.Provider) != 0: - errs = append(errs, fmt.Errorf("xml_query cannot be used with 'provider'")) - } - } else if c.Name == "" { - errs = append(errs, fmt.Errorf("event log is missing a 'name'")) - } - - return errs.Err() -} - -// Validate that winEventLog implements the EventLog interface. -var _ EventLog = &winEventLog{} - -// winEventLog implements the EventLog interface for reading from the Windows +// winEventLogRaw implements the EventLog interface for reading from the Windows // Event Log API. -type winEventLog struct { - config winEventLogConfig - query string - id string // Identifier of this event log. - channelName string // Name of the channel from which to read. - file bool // Reading from file rather than channel. - subscription win.EvtHandle // Handle to the subscription. - maxRead int // Maximum number returned in one Read. - lastRead checkpoint.EventLogState // Record number of the last read event. - - render func(event win.EvtHandle, out io.Writer) error // Function for rendering the event to XML. - message func(event win.EvtHandle) (string, error) // Message fallback function. - renderBuf []byte // Buffer used for rendering event. - outputBuf *sys.ByteBuffer // Buffer for receiving XML - cache *messageFilesCache // Cached mapping of source name to event message file handles. - - winMetaCache // Cached WinMeta tables by provider. - - logPrefix string // String to prefix on log messages. +type winEventLogRaw struct { + config config + query string + id string // Identifier of this event log. + channelName string // Name of the channel from which to read. + file bool // Reading from file rather than channel. + maxRead int // Maximum number returned in one Read. + lastRead checkpoint.EventLogState // Record number of the last read event. + log *logp.Logger + + iterator *win.EventIterator + renderer win.EventRenderer metrics *inputMetrics } -func newEventLogging(options *conf.C) (EventLog, error) { - cfgwarn.Deprecate("8.0.0", fmt.Sprintf("api %s is deprecated and %s will be used instead", eventLoggingAPIName, winEventLogAPIName)) - return newWinEventLog(options) -} - // newWinEventLog creates and returns a new EventLog for reading event logs // using the Windows Event Log. func newWinEventLog(options *conf.C) (EventLog, error) { var xmlQuery string var err error + var isFile bool + var log *logp.Logger - c := defaultWinEventLogConfig - if err = readConfig(options, &c); err != nil { + c := config{BatchReadSize: 512} + if err := readConfig(options, &c); err != nil { return nil, err } @@ -224,9 +72,20 @@ func newWinEventLog(options *conf.C) (EventLog, error) { if c.XMLQuery != "" { xmlQuery = c.XMLQuery + log = logp.NewLogger("wineventlog").With("id", id) } else { + queryLog := c.Name + if info, err := os.Stat(c.Name); err == nil && info.Mode().IsRegular() { + path, err := filepath.Abs(c.Name) + if err != nil { + return nil, err + } + isFile = true + queryLog = "file://" + path + } + xmlQuery, err = win.Query{ - Log: c.Name, + Log: queryLog, IgnoreOlder: c.SimpleQuery.IgnoreOlder, Level: c.SimpleQuery.Level, EventID: c.SimpleQuery.EventID, @@ -235,100 +94,90 @@ func newWinEventLog(options *conf.C) (EventLog, error) { if err != nil { return nil, err } - } - eventMetadataHandle := func(providerName, sourceName string) sys.MessageFiles { - mf := sys.MessageFiles{SourceName: sourceName} - h, err := win.OpenPublisherMetadata(0, sourceName, c.EventLanguage) + log = logp.NewLogger("wineventlog").With("id", id).With("channel", c.Name) + } + + l := &winEventLogRaw{ + config: c, + query: xmlQuery, + id: id, + channelName: c.Name, + file: isFile, + maxRead: c.BatchReadSize, + log: log, + } + + switch c.IncludeXML { + case true: + l.renderer = win.NewXMLRenderer( + win.RenderConfig{ + IsForwarded: l.isForwarded(), + Locale: c.EventLanguage, + }, + win.NilHandle, log) + case false: + l.renderer, err = win.NewRenderer( + win.RenderConfig{ + IsForwarded: l.isForwarded(), + Locale: c.EventLanguage, + }, + win.NilHandle, log) if err != nil { - mf.Err = err - return mf - } - - mf.Handles = []sys.FileHandle{{Handle: uintptr(h)}} - return mf - } - - freeHandle := func(handle uintptr) error { - return win.Close(win.EvtHandle(handle)) - } - - if filepath.IsAbs(c.Name) { - c.Name = filepath.Clean(c.Name) - } - - l := &winEventLog{ - id: id, - config: c, - query: xmlQuery, - channelName: c.Name, - file: filepath.IsAbs(c.Name), - maxRead: c.BatchReadSize, - renderBuf: make([]byte, renderBufferSize), - outputBuf: sys.NewByteBuffer(renderBufferSize), - cache: newMessageFilesCache(id, eventMetadataHandle, freeHandle), - winMetaCache: newWinMetaCache(metaTTL), - logPrefix: fmt.Sprintf("WinEventLog[%s]", id), - } - - // Forwarded events should be rendered using RenderEventXML. It is more - // efficient and does not attempt to use local message files for rendering - // the event's message. - switch { - case l.isForwarded(): - l.render = func(event win.EvtHandle, out io.Writer) error { - return win.RenderEventXML(event, l.renderBuf, out) - } - default: - l.render = func(event win.EvtHandle, out io.Writer) error { - return win.RenderEvent(event, c.EventLanguage, l.renderBuf, l.cache.get, out) - } - l.message = func(event win.EvtHandle) (string, error) { - return win.Message(event, l.renderBuf, l.cache.get) + return nil, err } } return l, nil } -func (l *winEventLog) isForwarded() bool { +func (l *winEventLogRaw) isForwarded() bool { c := l.config return (c.Forwarded != nil && *c.Forwarded) || (c.Forwarded == nil && c.Name == "ForwardedEvents") } // Name returns the name of the event log (i.e. Application, Security, etc.). -func (l *winEventLog) Name() string { +func (l *winEventLogRaw) Name() string { return l.id } // Channel returns the event log's channel name. -func (l *winEventLog) Channel() string { +func (l *winEventLogRaw) Channel() string { return l.channelName } // IsFile returns true if the event log is an evtx file. -func (l *winEventLog) IsFile() bool { +func (l *winEventLogRaw) IsFile() bool { return l.file } -func (l *winEventLog) Open(state checkpoint.EventLogState) error { - var bookmark win.EvtHandle - var err error +func (l *winEventLogRaw) Open(state checkpoint.EventLogState) error { + l.lastRead = state // we need to defer metrics initialization since when the event log // is used from winlog input it would register it twice due to CheckConfig calls if l.metrics == nil { l.metrics = newInputMetrics(l.channelName, l.id) } + + var err error + l.iterator, err = win.NewEventIterator( + win.WithSubscriptionFactory(func() (handle win.EvtHandle, err error) { + return l.open(l.lastRead) + }), + win.WithBatchSize(l.maxRead)) + return err +} + +func (l *winEventLogRaw) open(state checkpoint.EventLogState) (win.EvtHandle, error) { + var bookmark win.Bookmark if len(state.Bookmark) > 0 { - bookmark, err = win.CreateBookmarkFromXML(state.Bookmark) - } else if state.RecordNumber > 0 && l.channelName != "" { - bookmark, err = win.CreateBookmarkFromRecordID(l.channelName, state.RecordNumber) - } - if err != nil { - l.metrics.logError(err) - return err + var err error + bookmark, err = win.NewBookmarkFromXML(state.Bookmark) + if err != nil { + return win.NilHandle, err + } + defer bookmark.Close() } - defer win.Close(bookmark) if l.file { return l.openFile(state, bookmark) @@ -336,54 +185,49 @@ func (l *winEventLog) Open(state checkpoint.EventLogState) error { return l.openChannel(bookmark) } -func (l *winEventLog) openFile(state checkpoint.EventLogState, bookmark win.EvtHandle) error { +func (l *winEventLogRaw) openFile(state checkpoint.EventLogState, bookmark win.Bookmark) (win.EvtHandle, error) { path := l.channelName h, err := win.EvtQuery(0, path, l.query, win.EvtQueryFilePath|win.EvtQueryForwardDirection) if err != nil { - l.metrics.logError(err) - return fmt.Errorf("failed to get handle to event log file %v: %w", path, err) + return win.NilHandle, fmt.Errorf("failed to get handle to event log file %v: %w", path, err) } if bookmark > 0 { - debugf("%s Seeking to bookmark. timestamp=%v bookmark=%v", - l.logPrefix, state.Timestamp, state.Bookmark) + l.log.Debugf("Seeking to bookmark. timestamp=%v bookmark=%v", + state.Timestamp, state.Bookmark) // This seeks to the last read event and strictly validates that the // bookmarked record number exists. - if err = win.EvtSeek(h, 0, bookmark, win.EvtSeekRelativeToBookmark|win.EvtSeekStrict); err == nil { + if err = win.EvtSeek(h, 0, win.EvtHandle(bookmark), win.EvtSeekRelativeToBookmark|win.EvtSeekStrict); err == nil { // Then we advance past the last read event to avoid sending that // event again. This won't fail if we're at the end of the file. - if seekErr := win.EvtSeek(h, 1, bookmark, win.EvtSeekRelativeToBookmark); seekErr != nil { + if seekErr := win.EvtSeek(h, 1, win.EvtHandle(bookmark), win.EvtSeekRelativeToBookmark); seekErr != nil { err = fmt.Errorf("failed to seek past bookmarked position: %w", seekErr) } } else { - logp.Warn("%s Failed to seek to bookmarked location in %v (error: %v). "+ + l.log.Warnf("s Failed to seek to bookmarked location in %v (error: %v). "+ "Recovering by reading the log from the beginning. (Did the file "+ - "change since it was last read?)", l.logPrefix, path, err) - l.metrics.logError(err) + "change since it was last read?)", path, err) if seekErr := win.EvtSeek(h, 0, 0, win.EvtSeekRelativeToFirst); seekErr != nil { err = fmt.Errorf("failed to seek to beginning of log: %w", seekErr) } } if err != nil { - l.metrics.logError(err) - return err + return win.NilHandle, err } } - l.subscription = h - return nil + return h, err } -func (l *winEventLog) openChannel(bookmark win.EvtHandle) error { +func (l *winEventLogRaw) openChannel(bookmark win.Bookmark) (win.EvtHandle, error) { // Using a pull subscription to receive events. See: // https://msdn.microsoft.com/en-us/library/windows/desktop/aa385771(v=vs.85).aspx#pull signalEvent, err := windows.CreateEvent(nil, 0, 0, nil) if err != nil { - l.metrics.logError(err) - return err + return win.NilHandle, err } defer windows.CloseHandle(signalEvent) //nolint:errcheck // This is just a resource release. @@ -399,348 +243,129 @@ func (l *winEventLog) openChannel(bookmark win.EvtHandle) error { flags = win.EvtSubscribeStartAtOldestRecord } - debugf("%s using subscription query=%s", l.logPrefix, l.query) - subscriptionHandle, err := win.Subscribe( + l.log.Debugw("Using subscription query.", "winlog.query", l.query) + h, err := win.Subscribe( 0, // Session - nil for localhost signalEvent, - "", // Channel - empty b/c channel is in the query - l.query, // Query - nil means all events - bookmark, // Bookmark - for resuming from a specific event + "", // Channel - empty b/c channel is in the query + l.query, // Query - nil means all events + win.EvtHandle(bookmark), // Bookmark - for resuming from a specific event flags) - switch { - case errors.Is(err, win.ERROR_NOT_FOUND), errors.Is(err, win.ERROR_EVT_QUERY_RESULT_STALE), - errors.Is(err, win.ERROR_EVT_QUERY_RESULT_INVALID_POSITION): - debugf("%s error subscribing (first chance): %v", l.logPrefix, err) + switch err { //nolint:errorlint // This is an errno or nil. + case nil: + return h, nil + case win.ERROR_NOT_FOUND, win.ERROR_EVT_QUERY_RESULT_STALE, win.ERROR_EVT_QUERY_RESULT_INVALID_POSITION: // The bookmarked event was not found, we retry the subscription from the start. - l.metrics.logError(err) incrementMetric(readErrors, err) - subscriptionHandle, err = win.Subscribe(0, signalEvent, "", l.query, 0, win.EvtSubscribeStartAtOldestRecord) - } - - if err != nil { - l.metrics.logError(err) - debugf("%s error subscribing (final): %v", l.logPrefix, err) - return err + return win.Subscribe(0, signalEvent, "", l.query, 0, win.EvtSubscribeStartAtOldestRecord) + default: + return 0, err } - - l.subscription = subscriptionHandle - return nil } -func (l *winEventLog) Read() ([]Record, error) { - handles, _, err := l.eventHandles(l.maxRead) - if err != nil || len(handles) == 0 { - return nil, err - } - +func (l *winEventLogRaw) Read() ([]Record, error) { //nolint:prealloc // Avoid unnecessary preallocation for each reader every second when event log is inactive. var records []Record defer func() { l.metrics.log(records) - for _, h := range handles { - win.Close(h) - } }() - detailf("%s EventHandles returned %d handles", l.logPrefix, len(handles)) - for _, h := range handles { - l.outputBuf.Reset() - err := l.render(h, l.outputBuf) - l.metrics.logError(err) - if err != nil && l.outputBuf.Len() == 0 { - logp.Err("%s Dropping event with rendering error. %v", l.logPrefix, err) + for h, ok := l.iterator.Next(); ok; h, ok = l.iterator.Next() { + record, err := l.processHandle(h) + if err != nil { + l.metrics.logError(err) + l.log.Warnw("Dropping event due to rendering error.", "error", err) l.metrics.logDropped(err) incrementMetric(dropReasons, err) continue } + records = append(records, *record) - r := l.buildRecordFromXML(l.outputBuf.Bytes(), err) - r.Offset = checkpoint.EventLogState{ - Name: l.id, - RecordNumber: r.RecordID, - Timestamp: r.TimeCreated.SystemTime, + // It has read the maximum requested number of events. + if len(records) >= l.maxRead { + return records, nil } - if r.Offset.Bookmark, err = l.createBookmarkFromEvent(h); err != nil { - l.metrics.logError(err) - logp.Warn("%s failed creating bookmark: %v", l.logPrefix, err) - } - if r.Message == "" && l.message != nil { - r.Message, err = l.message(h) - if err != nil { - l.metrics.logError(err) - logp.Warn("%s error salvaging message (event id=%d qualifier=%d provider=%q created at %s will be included without a message): %v", - l.logPrefix, r.EventIdentifier.ID, r.EventIdentifier.Qualifiers, r.Provider.Name, r.TimeCreated.SystemTime, err) - } - } - records = append(records, r) - l.lastRead = r.Offset } - debugf("%s Read() is returning %d records", l.logPrefix, len(records)) - return records, nil -} - -func (l *winEventLog) eventHandles(maxRead int) ([]win.EvtHandle, int, error) { - handles, err := win.EventHandles(l.subscription, maxRead) - switch err { //nolint:errorlint // This is an errno or nil. - case nil: - if l.maxRead > maxRead { - debugf("%s Recovered from RPC_S_INVALID_BOUND error (errno 1734) "+ - "by decreasing batch_read_size to %v", l.logPrefix, maxRead) - } - return handles, maxRead, nil - case win.ERROR_NO_MORE_ITEMS: - detailf("%s No more events", l.logPrefix) - if l.config.NoMoreEvents == Stop { - return nil, maxRead, io.EOF - } - return nil, maxRead, nil - case win.RPC_S_INVALID_BOUND: - incrementMetric(readErrors, err) + // An error occurred while retrieving more events. + if err := l.iterator.Err(); err != nil { l.metrics.logError(err) - if err := l.Close(); err != nil { - return nil, 0, fmt.Errorf("failed to recover from RPC_S_INVALID_BOUND: %w", err) - } - if err := l.Open(l.lastRead); err != nil { - return nil, 0, fmt.Errorf("failed to recover from RPC_S_INVALID_BOUND: %w", err) - } - return l.eventHandles(maxRead / 2) - default: - l.metrics.logError(err) - incrementMetric(readErrors, err) - logp.Warn("%s EventHandles returned error %v", l.logPrefix, err) - return nil, 0, err + return records, err } -} -func (l *winEventLog) buildRecordFromXML(x []byte, recoveredErr error) Record { - includeXML := l.config.IncludeXML - e, err := winevent.UnmarshalXML(x) - if err != nil { - e.RenderErr = append(e.RenderErr, err.Error()) - // Add raw XML to event.original when decoding fails - includeXML = true + // Reader is configured to stop when there are no more events. + if Stop == l.config.NoMoreEvents { + return records, io.EOF } - err = winevent.PopulateAccount(&e.User) - if err != nil { - debugf("%s SID %s account lookup failed. %v", l.logPrefix, - e.User.Identifier, err) - } + return records, nil +} - if e.RenderErrorCode != 0 { - // Convert the render error code to an error message that can be - // included in the "error.message" field. - e.RenderErr = append(e.RenderErr, syscall.Errno(e.RenderErrorCode).Error()) - } else if recoveredErr != nil { - e.RenderErr = append(e.RenderErr, recoveredErr.Error()) - } +func (l *winEventLogRaw) processHandle(h win.EvtHandle) (*Record, error) { + defer h.Close() - // Get basic string values for raw fields. - winevent.EnrichRawValuesWithNames(l.winMeta(e.Provider.Name, l.config.EventLanguage), &e) - if e.Level == "" { - // Fallback on LevelRaw if the Level is not set in the RenderingInfo. - e.Level = win.EventLevel(e.LevelRaw).String() + // NOTE: Render can return an error and a partial event. + evt, xml, err := l.renderer.Render(h) + if evt == nil { + return nil, err + } + if err != nil { + evt.RenderErr = append(evt.RenderErr, err.Error()) } - if logp.IsDebug(detailSelector) { - detailf("%s XML=%s Event=%+v", l.logPrefix, x, e) + r := &Record{ + Event: *evt, } - r := Record{ - API: winEventLogAPIName, - Event: e, + if l.config.IncludeXML { + r.XML = xml } if l.file { r.File = l.id } - if includeXML { - r.XML = string(x) + r.Offset = checkpoint.EventLogState{ + Name: l.id, + RecordNumber: r.RecordID, + Timestamp: r.TimeCreated.SystemTime, } - - return r -} - -func (l *winEventLog) createBookmarkFromEvent(evtHandle win.EvtHandle) (string, error) { - bmHandle, err := win.CreateBookmarkFromEvent(evtHandle) - if err != nil { - return "", err + if r.Offset.Bookmark, err = l.createBookmarkFromEvent(h); err != nil { + l.metrics.logError(err) + l.log.Warnw("Failed creating bookmark.", "error", err) } - l.outputBuf.Reset() - err = win.RenderBookmarkXML(bmHandle, l.renderBuf, l.outputBuf) - win.Close(bmHandle) - return string(l.outputBuf.Bytes()), err + l.lastRead = r.Offset + return r, nil } -func (l *winEventLog) Reset() error { - debugf("%s Closing handle for reset", l.logPrefix) - return win.Close(l.subscription) -} - -func (l *winEventLog) Close() error { - debugf("%s Closing handle", l.logPrefix) - l.metrics.close() - return win.Close(l.subscription) -} - -// winMetaCache retrieves and caches WinMeta tables by provider name. -// It is a cut down version of the PublisherMetadataStore caching in wineventlog.Renderer. -type winMetaCache struct { - ttl time.Duration - logger *logp.Logger - - mu sync.RWMutex - cache map[string]winMetaCacheEntry -} - -type winMetaCacheEntry struct { - expire time.Time - *winevent.WinMeta -} - -func newWinMetaCache(ttl time.Duration) winMetaCache { - return winMetaCache{cache: make(map[string]winMetaCacheEntry), ttl: ttl, logger: logp.L()} -} - -func (c *winMetaCache) winMeta(provider string, locale uint32) *winevent.WinMeta { - c.mu.RLock() - e, ok := c.cache[provider] - c.mu.RUnlock() - if ok && time.Until(e.expire) > 0 { - return e.WinMeta - } - - // Upgrade lock. - defer c.mu.Unlock() - c.mu.Lock() - - // Did the cache get updated during lock upgrade? - // No need to check expiry here since we must have a new entry - // if there is an entry at all. - if e, ok := c.cache[provider]; ok { - return e.WinMeta - } - - s, err := win.NewPublisherMetadataStore(win.NilHandle, provider, locale, c.logger) +func (l *winEventLogRaw) createBookmarkFromEvent(evtHandle win.EvtHandle) (string, error) { + bookmark, err := win.NewBookmarkFromEvent(evtHandle) if err != nil { - // Return an empty store on error (can happen in cases where the - // log was forwarded and the provider doesn't exist on collector). - s = win.NewEmptyPublisherMetadataStore(provider, c.logger) - logp.Warn("failed to load publisher metadata for %v (returning an empty metadata store): %v", provider, err) + return "", fmt.Errorf("failed to create new bookmark from event handle: %w", err) } - s.Close() - c.cache[provider] = winMetaCacheEntry{expire: time.Now().Add(c.ttl), WinMeta: &s.WinMeta} - return &s.WinMeta -} + defer bookmark.Close() -// incrementMetric increments a value in the specified expvar.Map. The key -// should be a windows syscall.Errno or a string. Any other types will be -// reported under the "other" key. -func incrementMetric(v *expvar.Map, key interface{}) { - switch t := key.(type) { - default: - v.Add("other", 1) - case string: - v.Add(t, 1) - case syscall.Errno: - v.Add(strconv.Itoa(int(t)), 1) - } + return bookmark.XML() } -// inputMetrics handles event log metric reporting. -type inputMetrics struct { - unregister func() - - lastBatch time.Time - - name *monitoring.String // name of the provider being read - events *monitoring.Uint // total number of events received - dropped *monitoring.Uint // total number of discarded events - errors *monitoring.Uint // total number of errors - batchSize metrics.Sample // histogram of the number of events in each non-zero batch - sourceLag metrics.Sample // histogram of the difference between timestamped event's creation and reading - batchPeriod metrics.Sample // histogram of the elapsed time between non-zero batch reads -} - -// newInputMetrics returns an input metric for windows event logs. If id is empty -// a nil inputMetric is returned. -func newInputMetrics(name, id string) *inputMetrics { - if id == "" { - return nil - } - reg, unreg := inputmon.NewInputRegistry("winlog", id, nil) - out := &inputMetrics{ - unregister: unreg, - name: monitoring.NewString(reg, "provider"), - events: monitoring.NewUint(reg, "received_events_total"), - dropped: monitoring.NewUint(reg, "discarded_events_total"), - errors: monitoring.NewUint(reg, "errors_total"), - batchSize: metrics.NewUniformSample(1024), - sourceLag: metrics.NewUniformSample(1024), - batchPeriod: metrics.NewUniformSample(1024), - } - out.name.Set(name) - _ = adapter.NewGoMetrics(reg, "received_events_count", adapter.Accept). - Register("histogram", metrics.NewHistogram(out.batchSize)) - _ = adapter.NewGoMetrics(reg, "source_lag_time", adapter.Accept). - Register("histogram", metrics.NewHistogram(out.sourceLag)) - _ = adapter.NewGoMetrics(reg, "batch_read_period", adapter.Accept). - Register("histogram", metrics.NewHistogram(out.batchPeriod)) - - return out -} - -// log logs metric for the given batch. -func (m *inputMetrics) log(batch []Record) { - if m == nil { - return - } - if len(batch) == 0 { - return - } - - now := time.Now() - if !m.lastBatch.IsZero() { - m.batchPeriod.Update(now.Sub(m.lastBatch).Nanoseconds()) - } - m.lastBatch = now - - m.events.Add(uint64(len(batch))) - m.batchSize.Update(int64(len(batch))) - for _, r := range batch { - m.sourceLag.Update(now.Sub(r.TimeCreated.SystemTime).Nanoseconds()) - } -} - -// logError logs error metrics. Nil errors do not increment the error -// count but the err value is currently otherwise not used. It is included -// to allow easier extension of the metrics to include error stratification. -func (m *inputMetrics) logError(err error) { - if m == nil { - return - } - if err == nil { - return - } - m.errors.Inc() +func (l *winEventLogRaw) Reset() error { + l.log.Debug("Closing event log reader handles for reset.") + return l.close() } -// logDropped logs dropped event metrics. Nil errors *do* increment the dropped -// count; the value is currently otherwise not used, but is included to allow -// easier extension of the metrics to include error stratification. -func (m *inputMetrics) logDropped(_ error) { - if m == nil { - return - } - m.dropped.Inc() +func (l *winEventLogRaw) Close() error { + l.log.Debug("Closing event log reader handles.") + l.metrics.close() + return l.close() } -func (m *inputMetrics) close() { - if m == nil { - return +func (l *winEventLogRaw) close() error { + if l.iterator == nil { + return l.renderer.Close() } - m.unregister() + return multierr.Combine( + l.iterator.Close(), + l.renderer.Close(), + ) } diff --git a/winlogbeat/eventlog/wineventlog_raw.go b/winlogbeat/eventlog/wineventlog_raw.go deleted file mode 100644 index 7a6917e9b7ad..000000000000 --- a/winlogbeat/eventlog/wineventlog_raw.go +++ /dev/null @@ -1,390 +0,0 @@ -// Licensed to Elasticsearch B.V. under one or more contributor -// license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright -// ownership. Elasticsearch B.V. licenses this file to you under -// the Apache License, Version 2.0 (the "License"); you may -// not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, -// software distributed under the License is distributed on an -// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY -// KIND, either express or implied. See the License for the -// specific language governing permissions and limitations -// under the License. - -//go:build windows - -package eventlog - -import ( - "fmt" - "io" - "os" - "path/filepath" - - "go.uber.org/multierr" - "golang.org/x/sys/windows" - - "github.com/elastic/beats/v7/winlogbeat/checkpoint" - win "github.com/elastic/beats/v7/winlogbeat/sys/wineventlog" - conf "github.com/elastic/elastic-agent-libs/config" - "github.com/elastic/elastic-agent-libs/logp" -) - -const ( - // winEventLogExpApiName is the name used to identify the Windows Event Log API - // as both an event type and an API. - winEventLogExpAPIName = "wineventlog-experimental" - // winEventLogRawAPIName is the name used to identify the Windows Event Log API - // as both an event type and an API. - winEventLogRawAPIName = "wineventlog-raw" -) - -func init() { - // Register wineventlog API if it is available. - available, _ := win.IsAvailable() - if available { - Register(winEventLogExpAPIName, 10, newWinEventLogRaw, win.Channels) - Register(winEventLogRawAPIName, 11, newWinEventLogRaw, win.Channels) - } -} - -// winEventLogRaw implements the EventLog interface for reading from the Windows -// Event Log API. -type winEventLogRaw struct { - config winEventLogConfig - query string - id string // Identifier of this event log. - channelName string // Name of the channel from which to read. - file bool // Reading from file rather than channel. - maxRead int // Maximum number returned in one Read. - lastRead checkpoint.EventLogState // Record number of the last read event. - log *logp.Logger - - iterator *win.EventIterator - renderer win.EventRenderer - - metrics *inputMetrics -} - -// newWinEventLogRaw creates and returns a new EventLog for reading event logs -// using the Windows Event Log. -func newWinEventLogRaw(options *conf.C) (EventLog, error) { - var xmlQuery string - var err error - var isFile bool - var log *logp.Logger - - c := winEventLogConfig{BatchReadSize: 512} - if err := readConfig(options, &c); err != nil { - return nil, err - } - - id := c.ID - if id == "" { - id = c.Name - } - - if c.XMLQuery != "" { - xmlQuery = c.XMLQuery - log = logp.NewLogger("wineventlog").With("id", id) - } else { - queryLog := c.Name - if info, err := os.Stat(c.Name); err == nil && info.Mode().IsRegular() { - path, err := filepath.Abs(c.Name) - if err != nil { - return nil, err - } - isFile = true - queryLog = "file://" + path - } - - xmlQuery, err = win.Query{ - Log: queryLog, - IgnoreOlder: c.SimpleQuery.IgnoreOlder, - Level: c.SimpleQuery.Level, - EventID: c.SimpleQuery.EventID, - Provider: c.SimpleQuery.Provider, - }.Build() - if err != nil { - return nil, err - } - - log = logp.NewLogger("wineventlog").With("id", id).With("channel", c.Name) - } - - l := &winEventLogRaw{ - config: c, - query: xmlQuery, - id: id, - channelName: c.Name, - file: isFile, - maxRead: c.BatchReadSize, - log: log, - } - - switch c.IncludeXML { - case true: - l.renderer = win.NewXMLRenderer( - win.RenderConfig{ - IsForwarded: l.isForwarded(), - Locale: c.EventLanguage, - }, - win.NilHandle, log) - case false: - l.renderer, err = win.NewRenderer( - win.RenderConfig{ - IsForwarded: l.isForwarded(), - Locale: c.EventLanguage, - }, - win.NilHandle, log) - if err != nil { - return nil, err - } - } - - return l, nil -} - -func (l *winEventLogRaw) isForwarded() bool { - c := l.config - return (c.Forwarded != nil && *c.Forwarded) || (c.Forwarded == nil && c.Name == "ForwardedEvents") -} - -// Name returns the name of the event log (i.e. Application, Security, etc.). -func (l *winEventLogRaw) Name() string { - return l.id -} - -// Channel returns the event log's channel name. -func (l *winEventLogRaw) Channel() string { - return l.channelName -} - -// IsFile returns true if the event log is an evtx file. -func (l *winEventLogRaw) IsFile() bool { - return l.file -} - -func (l *winEventLogRaw) Open(state checkpoint.EventLogState) error { - l.lastRead = state - // we need to defer metrics initialization since when the event log - // is used from winlog input it would register it twice due to CheckConfig calls - if l.metrics == nil { - l.metrics = newInputMetrics(l.channelName, l.id) - } - - var err error - l.iterator, err = win.NewEventIterator( - win.WithSubscriptionFactory(func() (handle win.EvtHandle, err error) { - return l.open(l.lastRead) - }), - win.WithBatchSize(l.maxRead)) - return err -} - -func (l *winEventLogRaw) open(state checkpoint.EventLogState) (win.EvtHandle, error) { - var bookmark win.Bookmark - if len(state.Bookmark) > 0 { - var err error - bookmark, err = win.NewBookmarkFromXML(state.Bookmark) - if err != nil { - return win.NilHandle, err - } - defer bookmark.Close() - } - - if l.file { - return l.openFile(state, bookmark) - } - return l.openChannel(bookmark) -} - -func (l *winEventLogRaw) openFile(state checkpoint.EventLogState, bookmark win.Bookmark) (win.EvtHandle, error) { - path := l.channelName - - h, err := win.EvtQuery(0, path, l.query, win.EvtQueryFilePath|win.EvtQueryForwardDirection) - if err != nil { - return win.NilHandle, fmt.Errorf("failed to get handle to event log file %v: %w", path, err) - } - - if bookmark > 0 { - l.log.Debugf("Seeking to bookmark. timestamp=%v bookmark=%v", - state.Timestamp, state.Bookmark) - - // This seeks to the last read event and strictly validates that the - // bookmarked record number exists. - if err = win.EvtSeek(h, 0, win.EvtHandle(bookmark), win.EvtSeekRelativeToBookmark|win.EvtSeekStrict); err == nil { - // Then we advance past the last read event to avoid sending that - // event again. This won't fail if we're at the end of the file. - if seekErr := win.EvtSeek(h, 1, win.EvtHandle(bookmark), win.EvtSeekRelativeToBookmark); seekErr != nil { - err = fmt.Errorf("failed to seek past bookmarked position: %w", seekErr) - } - } else { - l.log.Warnf("s Failed to seek to bookmarked location in %v (error: %v). "+ - "Recovering by reading the log from the beginning. (Did the file "+ - "change since it was last read?)", path, err) - if seekErr := win.EvtSeek(h, 0, 0, win.EvtSeekRelativeToFirst); seekErr != nil { - err = fmt.Errorf("failed to seek to beginning of log: %w", seekErr) - } - } - - if err != nil { - return win.NilHandle, err - } - } - - return h, err -} - -func (l *winEventLogRaw) openChannel(bookmark win.Bookmark) (win.EvtHandle, error) { - // Using a pull subscription to receive events. See: - // https://msdn.microsoft.com/en-us/library/windows/desktop/aa385771(v=vs.85).aspx#pull - signalEvent, err := windows.CreateEvent(nil, 0, 0, nil) - if err != nil { - return win.NilHandle, err - } - defer windows.CloseHandle(signalEvent) //nolint:errcheck // This is just a resource release. - - var flags win.EvtSubscribeFlag - if bookmark > 0 { - flags = win.EvtSubscribeStartAfterBookmark - if !l.isForwarded() { - // Use EvtSubscribeStrict to detect when the bookmark is missing and be able to - // subscribe again from the beginning. - flags |= win.EvtSubscribeStrict - } - } else { - flags = win.EvtSubscribeStartAtOldestRecord - } - - l.log.Debugw("Using subscription query.", "winlog.query", l.query) - h, err := win.Subscribe( - 0, // Session - nil for localhost - signalEvent, - "", // Channel - empty b/c channel is in the query - l.query, // Query - nil means all events - win.EvtHandle(bookmark), // Bookmark - for resuming from a specific event - flags) - - switch err { //nolint:errorlint // This is an errno or nil. - case nil: - return h, nil - case win.ERROR_NOT_FOUND, win.ERROR_EVT_QUERY_RESULT_STALE, win.ERROR_EVT_QUERY_RESULT_INVALID_POSITION: - // The bookmarked event was not found, we retry the subscription from the start. - incrementMetric(readErrors, err) - return win.Subscribe(0, signalEvent, "", l.query, 0, win.EvtSubscribeStartAtOldestRecord) - default: - return 0, err - } -} - -func (l *winEventLogRaw) Read() ([]Record, error) { - //nolint:prealloc // Avoid unnecessary preallocation for each reader every second when event log is inactive. - var records []Record - defer func() { - l.metrics.log(records) - }() - - for h, ok := l.iterator.Next(); ok; h, ok = l.iterator.Next() { - record, err := l.processHandle(h) - if err != nil { - l.metrics.logError(err) - l.log.Warnw("Dropping event due to rendering error.", "error", err) - l.metrics.logDropped(err) - incrementMetric(dropReasons, err) - continue - } - records = append(records, *record) - - // It has read the maximum requested number of events. - if len(records) >= l.maxRead { - return records, nil - } - } - - // An error occurred while retrieving more events. - if err := l.iterator.Err(); err != nil { - l.metrics.logError(err) - return records, err - } - - // Reader is configured to stop when there are no more events. - if Stop == l.config.NoMoreEvents { - return records, io.EOF - } - - return records, nil -} - -func (l *winEventLogRaw) processHandle(h win.EvtHandle) (*Record, error) { - defer h.Close() - - // NOTE: Render can return an error and a partial event. - evt, xml, err := l.renderer.Render(h) - if evt == nil { - return nil, err - } - if err != nil { - evt.RenderErr = append(evt.RenderErr, err.Error()) - } - - r := &Record{ - API: winEventLogExpAPIName, - Event: *evt, - } - - if l.config.IncludeXML { - r.XML = xml - } - - if l.file { - r.File = l.id - } - - r.Offset = checkpoint.EventLogState{ - Name: l.id, - RecordNumber: r.RecordID, - Timestamp: r.TimeCreated.SystemTime, - } - if r.Offset.Bookmark, err = l.createBookmarkFromEvent(h); err != nil { - l.metrics.logError(err) - l.log.Warnw("Failed creating bookmark.", "error", err) - } - l.lastRead = r.Offset - return r, nil -} - -func (l *winEventLogRaw) createBookmarkFromEvent(evtHandle win.EvtHandle) (string, error) { - bookmark, err := win.NewBookmarkFromEvent(evtHandle) - if err != nil { - return "", fmt.Errorf("failed to create new bookmark from event handle: %w", err) - } - defer bookmark.Close() - - return bookmark.XML() -} - -func (l *winEventLogRaw) Reset() error { - l.log.Debug("Closing event log reader handles for reset.") - return l.close() -} - -func (l *winEventLogRaw) Close() error { - l.log.Debug("Closing event log reader handles.") - l.metrics.close() - return l.close() -} - -func (l *winEventLogRaw) close() error { - if l.iterator == nil { - return l.renderer.Close() - } - return multierr.Combine( - l.iterator.Close(), - l.renderer.Close(), - ) -} diff --git a/winlogbeat/eventlog/wineventlog_test.go b/winlogbeat/eventlog/wineventlog_test.go index 9aafe31a258d..0290ce48feb4 100644 --- a/winlogbeat/eventlog/wineventlog_test.go +++ b/winlogbeat/eventlog/wineventlog_test.go @@ -58,98 +58,89 @@ const ( func TestWinEventLogConfig_Validate(t *testing.T) { tests := []struct { - In winEventLogConfig + In config WantErr bool Desc string }{ { - In: winEventLogConfig{ - ConfigCommon: ConfigCommon{ - ID: "test", - XMLQuery: customXMLQuery, - }, + In: config{ + + ID: "test", + XMLQuery: customXMLQuery, }, WantErr: false, Desc: "xml query: all good", }, { - In: winEventLogConfig{ - ConfigCommon: ConfigCommon{ - ID: "test", - XMLQuery: customXMLQuery[:len(customXMLQuery)-4], // Malformed XML by truncation. - }, + In: config{ + + ID: "test", + XMLQuery: customXMLQuery[:len(customXMLQuery)-4], // Malformed XML by truncation. + }, WantErr: true, Desc: "xml query: malformed XML", }, { - In: winEventLogConfig{ - ConfigCommon: ConfigCommon{ - XMLQuery: customXMLQuery, - }, + In: config{ + + XMLQuery: customXMLQuery, }, WantErr: true, Desc: "xml query: missing ID", }, { - In: winEventLogConfig{ - ConfigCommon: ConfigCommon{ - ID: "test", - Name: "test", - XMLQuery: customXMLQuery, - }, + In: config{ + + ID: "test", + Name: "test", + XMLQuery: customXMLQuery, }, WantErr: true, Desc: "xml query: conflicting keys (xml query and name)", }, { - In: winEventLogConfig{ - ConfigCommon: ConfigCommon{ - ID: "test", - XMLQuery: customXMLQuery, - }, + In: config{ + + ID: "test", + XMLQuery: customXMLQuery, SimpleQuery: query{IgnoreOlder: 1}, }, WantErr: true, Desc: "xml query: conflicting keys (xml query and ignore_older)", }, { - In: winEventLogConfig{ - ConfigCommon: ConfigCommon{ - ID: "test", - XMLQuery: customXMLQuery, - }, + In: config{ + + ID: "test", + XMLQuery: customXMLQuery, SimpleQuery: query{Level: "error"}, }, WantErr: true, Desc: "xml query: conflicting keys (xml query and level)", }, { - In: winEventLogConfig{ - ConfigCommon: ConfigCommon{ - ID: "test", - XMLQuery: customXMLQuery, - }, + In: config{ + + ID: "test", + XMLQuery: customXMLQuery, SimpleQuery: query{EventID: "1000"}, }, WantErr: true, Desc: "xml query: conflicting keys (xml query and event_id)", }, { - In: winEventLogConfig{ - ConfigCommon: ConfigCommon{ - ID: "test", - XMLQuery: customXMLQuery, - }, + In: config{ + + ID: "test", + XMLQuery: customXMLQuery, SimpleQuery: query{Provider: []string{providerName}}, }, WantErr: true, Desc: "xml query: conflicting keys (xml query and provider)", }, { - In: winEventLogConfig{ - ConfigCommon: ConfigCommon{}, - }, + In: config{}, WantErr: true, Desc: "missing name", }, @@ -166,18 +157,14 @@ func TestWinEventLogConfig_Validate(t *testing.T) { } } -func TestWindowsEventLogAPI(t *testing.T) { - testWindowsEventLog(t, winEventLogAPIName, false) -} - func TestWindowsEventLogAPIRaw(t *testing.T) { // for the raw api using include xml behave differently than not // so we must test both settings - testWindowsEventLog(t, winEventLogRawAPIName, true) - testWindowsEventLog(t, winEventLogRawAPIName, false) + testWindowsEventLog(t, true) + testWindowsEventLog(t, false) } -func testWindowsEventLog(t *testing.T, api string, includeXML bool) { +func testWindowsEventLog(t *testing.T, includeXML bool) { writer, teardown := createLog(t) defer teardown() @@ -191,7 +178,7 @@ func testWindowsEventLog(t *testing.T, api string, includeXML bool) { } openLog := func(t testing.TB, config map[string]interface{}) EventLog { - return openLog(t, api, nil, config) + return openLog(t, nil, config) } t.Run("has_message", func(t *testing.T) { @@ -292,11 +279,6 @@ func testWindowsEventLog(t *testing.T, api string, includeXML bool) { records, err := log.Read() - // This implementation returns the EOF on the next call. - if err == nil && api == winEventLogAPIName { - _, err = log.Read() - } - if assert.Error(t, err, "no_more_events=stop requires io.EOF to be returned") { assert.Equal(t, io.EOF, err) } @@ -321,11 +303,6 @@ func testWindowsEventLog(t *testing.T, api string, includeXML bool) { records, err := log.Read() - // This implementation returns the EOF on the next call. - if err == nil && api == winEventLogAPIName { - _, err = log.Read() - } - if assert.Error(t, err, "no_more_events=stop requires io.EOF to be returned") { assert.Equal(t, io.EOF, err) } @@ -397,21 +374,13 @@ func setLogSize(t testing.TB, provider string, sizeBytes int) { } } -func openLog(t testing.TB, api string, state *checkpoint.EventLogState, config map[string]interface{}) EventLog { +func openLog(t testing.TB, state *checkpoint.EventLogState, config map[string]interface{}) EventLog { cfg, err := conf.NewConfigFrom(config) if err != nil { t.Fatal(err) } - var log EventLog - switch api { - case winEventLogAPIName: - log, err = newWinEventLog(cfg) - case winEventLogRawAPIName: - log, err = newWinEventLogRaw(cfg) - default: - t.Fatalf("Unknown API name: '%s'", api) - } + log, err := newWinEventLog(cfg) if err != nil { t.Fatal(err) } From 97ed84f50251694be9cb11ecee01f904f26806f3 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 13 Jan 2025 06:04:20 -0800 Subject: [PATCH 02/20] Install sysmon event manifests --- .buildkite/scripts/install_sysmon.ps1 | 36 +++++++++++++++++++ .../x-pack/pipeline.xpack.winlogbeat.yml | 12 +++++++ 2 files changed, 48 insertions(+) create mode 100644 .buildkite/scripts/install_sysmon.ps1 diff --git a/.buildkite/scripts/install_sysmon.ps1 b/.buildkite/scripts/install_sysmon.ps1 new file mode 100644 index 000000000000..4f26330a24c5 --- /dev/null +++ b/.buildkite/scripts/install_sysmon.ps1 @@ -0,0 +1,36 @@ +$downloadUrl = "https://download.sysinternals.com/files/Sysmon.zip" +$tempFolder = "$env:TEMP\SysmonDownload" + +if (!(Test-Path $tempFolder)) { + New-Item -ItemType Directory -Path $tempFolder +} + +$ProgressPreference = 'SilentlyContinue' +try { + Invoke-WebRequest -Uri $downloadUrl -OutFile "$tempFolder\Sysmon.zip" -UseBasicParsing +} catch { + $result = $_.Exception.Response.GetResponseStream() + $reader = New-Object System.IO.StreamReader($result) + $reader.BaseStream.Position = 0 + $reader.DiscardBufferedData() + $reader.ReadToEnd() + exit 1 +} + +Write-Host "Sysmon.zip downloaded successfully." + +Expand-Archive -Path "$tempFolder\Sysmon.zip" -DestinationPath $tempFolder + +$sysmonPath = Get-ChildItem -Path "$tempFolder" -Filter "Sysmon64.exe" | Select-Object -ExpandProperty FullName + +if ($sysmonPath) { + Start-Process -FilePath $sysmonPath -ArgumentList "-m" -Wait + + Write-Host "Sysmon event manifest installation completed." +} else { + Write-Host "Sysmon executable not found in the downloaded archive." +} + +# Clean up the downloaded file +Remove-Item -Path "$tempFolder\Sysmon.zip" +Remove-Item -Path $tempFolder -Force -Recurse diff --git a/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml b/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml index 398bf10dec50..0f3927bb61df 100644 --- a/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml +++ b/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml @@ -65,6 +65,8 @@ steps: - label: ":windows: x-pack/winlogbeat Win 2019 Unit Tests" key: "mandatory-win-2019-unit-tests" command: | + Set-Location -Path .buildkite/scripts + ./install_sysmon.ps1 Set-Location -Path x-pack/winlogbeat mage build unitTest retry: @@ -91,6 +93,8 @@ steps: - label: ":windows: x-pack/winlogbeat: Win 2016 Unit Tests" command: | + Set-Location -Path .buildkite/scripts + ./install_sysmon.ps1 Set-Location -Path x-pack/winlogbeat mage build unitTest key: "mandatory-win-2016-unit-tests" @@ -118,6 +122,8 @@ steps: - label: ":windows: x-pack/winlogbeat: Win 2022 Unit Tests" command: | + Set-Location -Path .buildkite/scripts + ./install_sysmon.ps1 Set-Location -Path x-pack/winlogbeat mage build unitTest key: "mandatory-win-2022-unit-tests" @@ -150,6 +156,8 @@ steps: steps: - label: ":windows: x-pack/winlogbeat: Win 10 Unit Tests" command: | + Set-Location -Path .buildkite/scripts + ./install_sysmon.ps1 Set-Location -Path x-pack/winlogbeat mage build unitTest key: "extended-win-10-unit-tests" @@ -177,6 +185,8 @@ steps: - label: ":windows: x-pack/winlogbeat: Win 11 Unit Tests" command: | + Set-Location -Path .buildkite/scripts + ./install_sysmon.ps1 Set-Location -Path x-pack/winlogbeat mage build unitTest key: "extended-win-11-unit-tests" @@ -204,6 +214,8 @@ steps: - label: ":windows: x-pack/winlogbeat: Win 2019 Unit Tests" command: | + Set-Location -Path .buildkite/scripts + ./install_sysmon.ps1 Set-Location -Path x-pack/winlogbeat mage build unitTest key: "extended-win-2019-unit-tests" From d10097e5904b1e81e778e9a8c43087d4d696e4c5 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 13 Jan 2025 06:26:13 -0800 Subject: [PATCH 03/20] Re-generate golden files --- .../testdata/collection/400.evtx.golden.json | 8 - .../testdata/collection/403.evtx.golden.json | 8 - .../testdata/collection/4103.evtx.golden.json | 10 +- .../testdata/collection/4104.evtx.golden.json | 10 +- .../testdata/collection/4105.evtx.golden.json | 5 +- .../testdata/collection/4106.evtx.golden.json | 5 +- .../testdata/collection/600.evtx.golden.json | 6 - .../testdata/collection/800.evtx.golden.json | 8 - .../testdata/collection/1100.evtx.golden.json | 3 +- .../testdata/collection/1102.evtx.golden.json | 5 +- .../testdata/collection/1104.evtx.golden.json | 3 +- .../testdata/collection/1105.evtx.golden.json | 3 +- .../4670_WindowsSrv2016.evtx.golden.json | 5 +- .../4706_WindowsSrv2016.evtx.golden.json | 9 +- .../4707_WindowsSrv2016.evtx.golden.json | 5 +- .../4713_WindowsSrv2016.evtx.golden.json | 7 +- .../4716_WindowsSrv2016.evtx.golden.json | 7 +- .../4717_WindowsSrv2016.evtx.golden.json | 7 +- .../4718_WindowsSrv2016.evtx.golden.json | 7 +- .../testdata/collection/4719.evtx.golden.json | 15 +- .../4719_WindowsSrv2016.evtx.golden.json | 15 +- .../4739_WindowsSrv2016.evtx.golden.json | 5 +- .../testdata/collection/4741.evtx.golden.json | 13 +- .../testdata/collection/4742.evtx.golden.json | 7 +- .../testdata/collection/4743.evtx.golden.json | 5 +- .../testdata/collection/4744.evtx.golden.json | 5 +- .../testdata/collection/4745.evtx.golden.json | 5 +- .../testdata/collection/4746.evtx.golden.json | 5 +- .../testdata/collection/4747.evtx.golden.json | 5 +- .../testdata/collection/4748.evtx.golden.json | 5 +- .../testdata/collection/4749.evtx.golden.json | 5 +- .../testdata/collection/4750.evtx.golden.json | 5 +- .../testdata/collection/4751.evtx.golden.json | 5 +- .../testdata/collection/4752.evtx.golden.json | 5 +- .../testdata/collection/4753.evtx.golden.json | 5 +- .../testdata/collection/4759.evtx.golden.json | 5 +- .../testdata/collection/4760.evtx.golden.json | 5 +- .../testdata/collection/4761.evtx.golden.json | 5 +- .../testdata/collection/4762.evtx.golden.json | 5 +- .../testdata/collection/4763.evtx.golden.json | 5 +- .../4817_WindowsSrv2016.evtx.golden.json | 7 +- .../4902_WindowsSrv2016.evtx.golden.json | 5 +- .../4904_WindowsSrv2016.evtx.golden.json | 7 +- .../4905_WindowsSrv2016.evtx.golden.json | 7 +- .../4906_WindowsSrv2016.evtx.golden.json | 3 +- .../4907_WindowsSrv2016.evtx.golden.json | 5 +- .../4908_WindowsSrv2016.evtx.golden.json | 3 +- ...security-windows2012_4673.evtx.golden.json | 5 +- ...security-windows2012_4674.evtx.golden.json | 7 +- ...security-windows2012_4697.evtx.golden.json | 7 +- ...security-windows2012_4698.evtx.golden.json | 5 +- ...security-windows2012_4699.evtx.golden.json | 5 +- ...security-windows2012_4700.evtx.golden.json | 5 +- ...security-windows2012_4701.evtx.golden.json | 5 +- ...security-windows2012_4702.evtx.golden.json | 5 +- ...security-windows2012_4768.evtx.golden.json | 3 +- ...security-windows2012_4769.evtx.golden.json | 7 +- ...security-windows2012_4770.evtx.golden.json | 3 +- ...security-windows2012_4771.evtx.golden.json | 3 +- ...security-windows2012_4776.evtx.golden.json | 3 +- ...security-windows2012_4778.evtx.golden.json | 5 +- ...security-windows2012_4779.evtx.golden.json | 5 +- ...urity-windows2012r2-logon.evtx.golden.json | 126 +- ...security-windows2016-4672.evtx.golden.json | 7 +- ...curity-windows2016-logoff.evtx.golden.json | 10 +- ...2016_4720_Account_Created.evtx.golden.json | 58 +- ...2016_4722_Account_Enabled.evtx.golden.json | 14 +- ...2016_4723_Password_Change.evtx.golden.json | 14 +- ...s2016_4724_Password_Reset.evtx.golden.json | 14 +- ...016_4725_Account_Disabled.evtx.golden.json | 14 +- ...2016_4726_Account_Deleted.evtx.golden.json | 14 +- ...security-windows2016_4727.evtx.golden.json | 3 +- ...security-windows2016_4728.evtx.golden.json | 5 +- ...security-windows2016_4729.evtx.golden.json | 5 +- ...security-windows2016_4730.evtx.golden.json | 5 +- ...security-windows2016_4731.evtx.golden.json | 5 +- ...security-windows2016_4732.evtx.golden.json | 5 +- ...security-windows2016_4733.evtx.golden.json | 5 +- ...security-windows2016_4734.evtx.golden.json | 5 +- ...security-windows2016_4735.evtx.golden.json | 5 +- ...security-windows2016_4737.evtx.golden.json | 5 +- ...2016_4738_Account_Changed.evtx.golden.json | 48 +- ...6_4740_Account_Locked_Out.evtx.golden.json | 7 +- ...security-windows2016_4754.evtx.golden.json | 5 +- ...security-windows2016_4755.evtx.golden.json | 5 +- ...security-windows2016_4756.evtx.golden.json | 5 +- ...security-windows2016_4757.evtx.golden.json | 5 +- ...security-windows2016_4758.evtx.golden.json | 5 +- ...security-windows2016_4764.evtx.golden.json | 5 +- ...016_4767_Account_Unlocked.evtx.golden.json | 7 +- ...2016_4781_Account_Renamed.evtx.golden.json | 14 +- ...security-windows2016_4798.evtx.golden.json | 7 +- ...security-windows2016_4799.evtx.golden.json | 7 +- ...security-windows2016_4964.evtx.golden.json | 18 +- ...2019_4688_Process_Created.evtx.golden.json | 7 +- ...s2019_4689_Process_Exited.evtx.golden.json | 15 +- .../sysmon-10.2-dns.evtx.golden.json | 1248 ++++++++++------- .../sysmon-11-filedelete.evtx.golden.json | 24 +- ...mon-11-filedeletedetected.evtx.golden.json | 16 +- .../sysmon-11-registry.evtx.golden.json | 40 +- .../sysmon-12-loadimage.evtx.golden.json | 8 +- .../sysmon-12-processcreate.evtx.golden.json | 12 +- ...sysmon-13-clipboardchange.evtx.golden.json | 8 +- ...ysmon-13-processtampering.evtx.golden.json | 8 +- .../collection/sysmon-9.01.evtx.golden.json | 354 +++-- 105 files changed, 1416 insertions(+), 1147 deletions(-) diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/collection/400.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/collection/400.evtx.golden.json index cbc039317126..c612462b250d 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/collection/400.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/collection/400.evtx.golden.json @@ -15,7 +15,6 @@ }, "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -27,7 +26,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 1492, "task": "Engine Lifecycle" @@ -49,7 +47,6 @@ }, "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -61,7 +58,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 1511, "task": "Engine Lifecycle" @@ -83,7 +79,6 @@ }, "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -95,7 +90,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 1579, "task": "Engine Lifecycle" @@ -117,7 +111,6 @@ }, "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -129,7 +122,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 18591, "task": "Engine Lifecycle" diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/collection/403.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/collection/403.evtx.golden.json index f2841989e1e5..4028b8e1639e 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/collection/403.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/collection/403.evtx.golden.json @@ -15,7 +15,6 @@ }, "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -27,7 +26,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 1687, "task": "Engine Lifecycle" @@ -49,7 +47,6 @@ }, "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -61,7 +58,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 1706, "task": "Engine Lifecycle" @@ -83,7 +79,6 @@ }, "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -95,7 +90,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 1766, "task": "Engine Lifecycle" @@ -117,7 +111,6 @@ }, "message": "Engine state is changed from Available to Stopped. \n\nDetails: \n\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -129,7 +122,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 18592, "task": "Engine Lifecycle" diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/collection/4103.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/collection/4103.evtx.golden.json index 9bed8372c84d..0c860473b49a 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/collection/4103.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/collection/4103.evtx.golden.json @@ -15,8 +15,7 @@ }, "message": "CommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u003c\u003c===\u003e\u003e \\\\vboxsvr\\vagrant\"\n\n\nContext:\n Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name = \n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\n\nUser Data:", "winlog": { - "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", - "api": "wineventlog", + "activity_id": "{1ACA0717-2ACB-0002-C208-CA1ACB2AD601}", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", "event_data": { @@ -31,7 +30,7 @@ "id": 3616 } }, - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "provider_name": "Microsoft-Windows-PowerShell", "record_id": 3885, "task": "Executing Pipeline", @@ -57,8 +56,7 @@ }, "message": "CommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\n\nContext:\n Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name = \n Command Path = \n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User = \n Shell ID = Microsoft.PowerShell\n\n\nUser Data:", "winlog": { - "activity_id": "{1aca0717-2acb-0003-db0b-ca1acb2ad601}", - "api": "wineventlog", + "activity_id": "{1ACA0717-2ACB-0003-DB0B-CA1ACB2AD601}", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", "event_data": { @@ -73,7 +71,7 @@ "id": 4160 } }, - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "provider_name": "Microsoft-Windows-PowerShell", "record_id": 3917, "task": "Executing Pipeline", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/collection/4104.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/collection/4104.evtx.golden.json index 38c7997fca74..5fc62ff4dbc3 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/collection/4104.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/collection/4104.evtx.golden.json @@ -15,8 +15,7 @@ }, "message": "Creating Scriptblock text (1 of 1):\n.\\patata.ps1\n\nScriptBlock ID: 50d2dbda-7361-4926-a94d-d9eadfdb43fa\nPath: ", "winlog": { - "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", - "api": "wineventlog", + "activity_id": "{FB13C9DE-29F7-0001-18E0-13FBF729D601}", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", "event_data": { @@ -33,7 +32,7 @@ "id": 4428 } }, - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "provider_name": "Microsoft-Windows-PowerShell", "record_id": 3580, "task": "Execute a Remote Command", @@ -59,8 +58,7 @@ }, "message": "Creating Scriptblock text (1 of 1):\n\n\nScriptBlock ID: f5521cbd-656e-4296-b74d-9ffb4eec23b0\nPath: C:\\Users\\vagrant\\Desktop\\patata.ps1", "winlog": { - "activity_id": "{fb13c9de-29f7-0000-79db-13fbf729d601}", - "api": "wineventlog", + "activity_id": "{FB13C9DE-29F7-0000-79DB-13FBF729D601}", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", "event_data": { @@ -77,7 +75,7 @@ "id": 4428 } }, - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "provider_name": "Microsoft-Windows-PowerShell", "record_id": 3582, "task": "Execute a Remote Command", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/collection/4105.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/collection/4105.evtx.golden.json index 512240887880..641cd26c9f3b 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/collection/4105.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/collection/4105.evtx.golden.json @@ -15,8 +15,7 @@ }, "message": "Started invocation of ScriptBlock ID: f4a378ab-b74f-41a7-a5ef-6dd55562fdb9\nRunspace ID: 9c031e5c-8d5a-4b91-a12e-b3624970b623", "winlog": { - "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", - "api": "wineventlog", + "activity_id": "{DD68516A-2930-0000-5962-68DD3029D601}", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", "event_data": { @@ -31,7 +30,7 @@ "id": 1476 } }, - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "provider_name": "Microsoft-Windows-PowerShell", "record_id": 790, "task": "Starting Command", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/collection/4106.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/collection/4106.evtx.golden.json index 9b67fbec9bd3..7d579f7dba86 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/collection/4106.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/collection/4106.evtx.golden.json @@ -15,8 +15,7 @@ }, "message": "Completed invocation of ScriptBlock ID: 4c487c13-46f7-4485-925b-34855c7e873c\nRunspace ID: 3f1a9181-0523-4645-a42c-2c1868c39332", "winlog": { - "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", - "api": "wineventlog", + "activity_id": "{E3200B8A-290E-0002-332A-20E30E29D601}", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", "event_data": { @@ -31,7 +30,7 @@ "id": 5092 } }, - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "provider_name": "Microsoft-Windows-PowerShell", "record_id": 933, "task": "Stopping Command", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/collection/600.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/collection/600.evtx.golden.json index e11d977fa870..a6f23cc05bc6 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/collection/600.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/collection/600.evtx.golden.json @@ -15,7 +15,6 @@ }, "message": "Provider \"Certificate\" is Started. \n\nDetails: \n\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -27,7 +26,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 1089, "task": "Provider Lifecycle" @@ -49,7 +47,6 @@ }, "message": "Provider \"Registry\" is Started. \n\nDetails: \n\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -61,7 +58,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 1266, "task": "Provider Lifecycle" @@ -83,7 +79,6 @@ }, "message": "Provider \"Certificate\" is Started. \n\nDetails: \n\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -95,7 +90,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 18640, "task": "Provider Lifecycle" diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/collection/800.evtx.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/collection/800.evtx.golden.json index b58df13122a1..2cce1470abce 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/collection/800.evtx.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/collection/800.evtx.golden.json @@ -15,7 +15,6 @@ }, "message": "Pipeline execution details for command line: Add-Type -AssemblyName System.IO.Compression.FileSystem\n. \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=17\n\n\tUserId=VAGRANT-2019\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=ac3c99ce-7983-4996-807e-6a689eaba50b\n\tHostApplication=powershell -executionpolicy bypass \u0026 { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6a447a2c-693e-4d41-948d-129b455b2569\n\tPipelineId=1\n\tScriptName=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1\n\tCommandLine= Add-Type -AssemblyName System.IO.Compression.FileSystem\n \n\nDetails: \nCommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.IO.Compression.FileSystem\"", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant-2019", "event_data": { @@ -27,7 +26,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 191, "task": "Pipeline Execution Details" @@ -49,7 +47,6 @@ }, "message": "Pipeline execution details for command line: \u0026 { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }. \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=135\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u0026 { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails } \n\nDetails: \nCommandInvocation(Set-StrictMode): \"Set-StrictMode\"\nParameterBinding(Set-StrictMode): name=\"Version\"; value=\"1.0\"", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -61,7 +58,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 1843, "task": "Pipeline Execution Details" @@ -83,7 +79,6 @@ }, "message": "Pipeline execution details for command line: Import-LocalizedData LocalizedData -filename ArchiveResources\n. \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n \n\nDetails: \nCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -95,7 +90,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 1846, "task": "Pipeline Execution Details" @@ -117,7 +111,6 @@ }, "message": "Pipeline execution details for command line: . \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine= \n\nDetails: \nCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"", "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_data": { @@ -128,7 +121,6 @@ "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": 1847, "task": "Pipeline Execution Details" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/1100.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/1100.evtx.golden.json index 4aa5ac0739b7..9b0a9a7b6a6a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/1100.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/1100.evtx.golden.json @@ -16,7 +16,6 @@ }, "message": "The event logging service has shut down.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_id": "1100", @@ -30,7 +29,7 @@ "id": 4532 } }, - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_guid": "{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}", "provider_name": "Microsoft-Windows-Eventlog", "record_id": 14257, "task": "Service shutdown" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/1102.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/1102.evtx.golden.json index aae6080485c5..eb3a6c2b67fb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/1102.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/1102.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "The audit log was cleared.\nSubject:\n\tSecurity ID:\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\tAdministrator\n\tDomain Name:\tWLBEAT\n\tLogon ID:\t0x50E87", + "message": "The audit log was cleared.\nSubject:\n\tSecurity ID:\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\tAdministrator\n\tDomain Name:\tWLBEAT\n\tLogon ID:\t0x50e87", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_id": "1102", @@ -30,7 +29,7 @@ "id": 1824 } }, - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_guid": "{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}", "provider_name": "Microsoft-Windows-Eventlog", "record_id": 14224, "task": "Log clear", diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/1104.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/1104.evtx.golden.json index 66384ef29c7b..57a60fbe0fa9 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/1104.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/1104.evtx.golden.json @@ -16,7 +16,6 @@ }, "message": "The security log is now full.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_id": "1104", @@ -30,7 +29,7 @@ "id": 1444 } }, - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_guid": "{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}", "provider_name": "Microsoft-Windows-Eventlog", "record_id": 19352, "task": "Event processing" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/1105.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/1105.evtx.golden.json index d803ecf42a42..35c6d4ca3322 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/1105.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/1105.evtx.golden.json @@ -16,7 +16,6 @@ }, "message": "Event log automatic backup\n\tLog:\tSecurity\n\tFile:\tC:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_id": "1105", @@ -30,7 +29,7 @@ "id": 1484 } }, - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_guid": "{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}", "provider_name": "Microsoft-Windows-Eventlog", "record_id": 18197, "task": "Log automatic backup", diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4670_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4670_WindowsSrv2016.evtx.golden.json index 354b9572b3a8..5d4cb8fc6041 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4670_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4670_WindowsSrv2016.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x56c\n\nProcess:\n\tProcess ID:\t0x2fc\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;GA;;;NS)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", + "message": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x56c\n\nProcess:\n\tProcess ID:\t0x2fc\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;GA;;;NS)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -44,7 +43,7 @@ "id": 4604 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 31932, "task": "Authorization Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4706_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4706_WindowsSrv2016.evtx.golden.json index f16352f0a1b6..87814280378c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4706_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4706_WindowsSrv2016.evtx.golden.json @@ -14,16 +14,15 @@ "log": { "level": "information" }, - "message": "A new trust was created to a domain.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6A868\n\nTrusted Domain:\n\tDomain Name:\t\t192.168.230.153\n\tDomain ID:\t\tS-1-0-0\n\nTrust Information:\n\tTrust Type:\t\t3\n\tTrust Direction:\t\t3\n\tTrust Attributes:\t\t1\n\tSID Filtering:\t\tDisabled", + "message": "A new trust was created to a domain.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6a868\n\nTrusted Domain:\n\tDomain Name:\t\t192.168.230.153\n\tDomain ID:\t\tS-1-0-0\n\nTrust Information:\n\tTrust Type:\t\t3\n\tTrust Direction:\t\t3\n\tTrust Attributes:\t\t1\n\tSID Filtering:\t\tDisabled", "winlog": { - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", - "api": "wineventlog", + "activity_id": "{BE129571-63F8-0000-A795-12BEF863D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { "DomainName": "192.168.230.153", "DomainSid": "S-1-0-0", - "SidFilteringEnabled": "%%1796", + "SidFilteringEnabled": "Disabled", "SubjectDomainName": "TEST", "SubjectLogonId": "0x6a868", "SubjectUserName": "Administrator", @@ -43,7 +42,7 @@ "id": 3056 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 6017, "task": "Authentication Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4707_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4707_WindowsSrv2016.evtx.golden.json index 4afbc8e37e50..aea498ee4180 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4707_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4707_WindowsSrv2016.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A trust to a domain was removed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6A868\n\nDomain Information:\n\tDomain Name:\t\t192.168.230.153\n\tDomain ID:\t\tS-1-0-0", + "message": "A trust to a domain was removed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6a868\n\nDomain Information:\n\tDomain Name:\t\t192.168.230.153\n\tDomain ID:\t\tS-1-0-0", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -38,7 +37,7 @@ "id": 2012 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 13679, "task": "Authentication Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4713_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4713_WindowsSrv2016.evtx.golden.json index d661971b2d57..b896b9837210 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4713_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4713_WindowsSrv2016.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "Kerberos policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nChanges Made:\n('--' means no changes, otherwise each change is shown as:\n(Parameter Name):\t(new value) (old value))\nKerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", + "message": "Kerberos policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nChanges Made:\n('--' means no changes, otherwise each change is shown as:\n(Parameter Name):\t(new value) (old value))\nKerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", "winlog": { - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", - "api": "wineventlog", + "activity_id": "{BE129571-63F8-0000-A795-12BEF863D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -38,7 +37,7 @@ "id": 2012 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 21265, "task": "Authentication Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4716_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4716_WindowsSrv2016.evtx.golden.json index 40c587f11f4c..566b324978ce 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4716_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4716_WindowsSrv2016.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "Trusted domain information was modified.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6A868\n\nTrusted Domain:\n\tDomain Name:\t\t-\n\tDomain ID:\t\tS-1-0-0\n\nNew Trust Information:\n\tTrust Type:\t\t3\n\tTrust Direction:\t\t3\n\tTrust Attributes:\t\t1\n\tSID Filtering:\t\t-", + "message": "Trusted domain information was modified.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6a868\n\nTrusted Domain:\n\tDomain Name:\t\t-\n\tDomain ID:\t\tS-1-0-0\n\nNew Trust Information:\n\tTrust Type:\t\t3\n\tTrust Direction:\t\t3\n\tTrust Attributes:\t\t1\n\tSID Filtering:\t\t-", "winlog": { - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", - "api": "wineventlog", + "activity_id": "{BE129571-63F8-0000-A795-12BEF863D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -43,7 +42,7 @@ "id": 3776 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 14929, "task": "Authentication Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4717_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4717_WindowsSrv2016.evtx.golden.json index 59b512bf45db..a47eedb617e3 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4717_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4717_WindowsSrv2016.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "System security access was granted to an account.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nAccount Modified:\n\tAccount Name:\t\tS-1-5-9\n\nAccess Granted:\n\tAccess Right:\t\tSeNetworkLogonRight", + "message": "System security access was granted to an account.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nAccount Modified:\n\tAccount Name:\t\tS-1-5-9\n\nAccess Granted:\n\tAccess Right:\t\tSeNetworkLogonRight", "winlog": { - "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", - "api": "wineventlog", + "activity_id": "{B69BB9FF-63F5-0000-35BA-9BB6F563D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6", "event_data": { @@ -39,7 +38,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1571, "task": "Authentication Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4718_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4718_WindowsSrv2016.evtx.golden.json index 136e11b2fcb2..88652c898ce6 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4718_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4718_WindowsSrv2016.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "System security access was removed from an account.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nAccount Modified:\n\tAccount Name:\t\tS-1-5-32-545\n\nAccess Removed:\n\tAccess Right:\t\tSeNetworkLogonRight", + "message": "System security access was removed from an account.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nAccount Modified:\n\tAccount Name:\t\tS-1-5-32-545\n\nAccess Removed:\n\tAccess Right:\t\tSeNetworkLogonRight", "winlog": { - "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", - "api": "wineventlog", + "activity_id": "{B69BB9FF-63F5-0000-35BA-9BB6F563D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6", "event_data": { @@ -39,7 +38,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1565, "task": "Authentication Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4719.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4719.evtx.golden.json index 073122df8dd3..885762c90faa 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4719.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4719.evtx.golden.json @@ -14,17 +14,16 @@ "log": { "level": "information" }, - "message": "System audit policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\nAudit Policy Change:\n\tCategory:\t\tLogon/Logoff\n\tSubcategory:\t\tNetwork Policy Server\n\tSubcategory GUID:\t{0cce9243-69ae-11d9-bed3-505054503030}\n\tChanges:\t\tSuccess Added, Failure added", + "message": "System audit policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3e7\n\nAudit Policy Change:\n\tCategory:\t\tLogon/Logoff\n\tSubcategory:\t\tNetwork Policy Server\n\tSubcategory GUID:\t{0CCE9243-69AE-11D9-BED3-505054503030}\n\tChanges:\t\tSuccess Added, Failure added", "winlog": { - "activity_id": "{3eef0a0d-9551-0000-140c-ef3e5195d501}", - "api": "wineventlog", + "activity_id": "{3EEF0A0D-9551-0000-140C-EF3E5195D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { - "AuditPolicyChanges": "%%8449, %%8451", - "CategoryId": "%%8273", - "SubcategoryGuid": "{0cce9243-69ae-11d9-bed3-505054503030}", - "SubcategoryId": "%%12552", + "AuditPolicyChanges": "Success Added, Failure added", + "CategoryId": "Logon/Logoff", + "SubcategoryGuid": "{0CCE9243-69AE-11D9-BED3-505054503030}", + "SubcategoryId": "Network Policy Server", "SubjectDomainName": "WLBEAT", "SubjectLogonId": "0x3e7", "SubjectUserName": "WIN-41OB2LO92CR$", @@ -41,7 +40,7 @@ "id": 2944 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 17154, "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4719_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4719_WindowsSrv2016.evtx.golden.json index 19d1bc6220fa..e5af8d63fa54 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4719_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4719_WindowsSrv2016.evtx.golden.json @@ -14,17 +14,16 @@ "log": { "level": "information" }, - "message": "System audit policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x44D7D\n\nAudit Policy Change:\n\tCategory:\t\tObject Access\n\tSubcategory:\t\tOther Object Access Events\n\tSubcategory GUID:\t{0cce9227-69ae-11d9-bed3-505054503030}\n\tChanges:\t\tSuccess removed", + "message": "System audit policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x44d7d\n\nAudit Policy Change:\n\tCategory:\t\tObject Access\n\tSubcategory:\t\tOther Object Access Events\n\tSubcategory GUID:\t{0CCE9227-69AE-11D9-BED3-505054503030}\n\tChanges:\t\tSuccess removed", "winlog": { - "activity_id": "{65461d39-753f-0000-731d-46653f75d601}", - "api": "wineventlog", + "activity_id": "{65461D39-753F-0000-731D-46653F75D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { - "AuditPolicyChanges": "%%8448", - "CategoryId": "%%8274", - "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}", - "SubcategoryId": "%%12804", + "AuditPolicyChanges": "Success removed", + "CategoryId": "Object Access", + "SubcategoryGuid": "{0CCE9227-69AE-11D9-BED3-505054503030}", + "SubcategoryId": "Other Object Access Events", "SubjectDomainName": "TEST", "SubjectLogonId": "0x44d7d", "SubjectUserName": "Administrator", @@ -41,7 +40,7 @@ "id": 2764 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 123879, "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4739_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4739_WindowsSrv2016.evtx.golden.json index d6264bc9d778..a3e79e117333 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4739_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4739_WindowsSrv2016.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "Domain Policy was changed.\n\nChange Type:\t\tPassword Policy modified\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nDomain:\n\tDomain Name:\t\tTEST\n\tDomain ID:\t\tS-1-5-21-2024912787-2692429404-2351956786\n\nChanged Attributes:\n\tMin. Password Age:\t\n\tMax. Password Age:\t\n\tForce Logoff:\t\t\n\tLockout Threshold:\t\n\tLockout Observation Window:\t\n\tLockout Duration:\t\n\tPassword Properties:\t\n\tMin. Password Length:\t\n\tPassword History Length:\t-\n\tMachine Account Quota:\t-\n\tMixed Domain Mode:\t-\n\tDomain Behavior Version:\t-\n\tOEM Information:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "Domain Policy was changed.\n\nChange Type:\t\tPassword Policy modified\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nDomain:\n\tDomain Name:\t\tTEST\n\tDomain ID:\t\tS-1-5-21-2024912787-2692429404-2351956786\n\nChanged Attributes:\n\tMin. Password Age:\t\n\tMax. Password Age:\t\n\tForce Logoff:\t\t\n\tLockout Threshold:\t\n\tLockout Observation Window:\t\n\tLockout Duration:\t\n\tPassword Properties:\t\n\tMin. Password Length:\t\n\tPassword History Length:\t-\n\tMachine Account Quota:\t-\n\tMixed Domain Mode:\t-\n\tDomain Behavior Version:\t-\n\tOEM Information:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -45,7 +44,7 @@ "id": 812 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3532, "task": "Authentication Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4741.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4741.evtx.golden.json index 87b50d46fe90..ec9172563e07 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4741.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4741.evtx.golden.json @@ -14,22 +14,21 @@ "log": { "level": "information" }, - "message": "A computer account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nNew Computer Account:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\tTESTCOMPUTEROBJ$\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t515\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x85\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Workstation Trust Account' - Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t\u003cvalue not set\u003e\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges\t\t-", + "message": "A computer account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nNew Computer Account:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\tTESTCOMPUTEROBJ$\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t515\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x85\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Workstation Trust Account' - Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t\u003cvalue not set\u003e\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { - "AccountExpires": "%%1794", + "AccountExpires": "\u003cnever\u003e", "AllowedToDelegateTo": "-", "DisplayName": "-", "DnsHostName": "-", "HomeDirectory": "-", "HomePath": "-", - "LogonHours": "%%1793", + "LogonHours": "\u003cvalue not set\u003e", "NewUacValue": "0x85", "OldUacValue": "0x0", - "PasswordLastSet": "%%1794", + "PasswordLastSet": "\u003cnever\u003e", "PrimaryGroupId": "515", "PrivilegeList": "-", "ProfilePath": "-", @@ -44,7 +43,7 @@ "TargetDomainName": "TEST", "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", "TargetUserName": "TESTCOMPUTEROBJ$", - "UserAccountControl": "\n\t\t%%2080\n\t\t%%2082\n\t\t%%2087", + "UserAccountControl": "\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Workstation Trust Account' - Enabled", "UserParameters": "-", "UserPrincipalName": "-", "UserWorkstations": "-" @@ -60,7 +59,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3699929, "task": "Computer Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4742.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4742.evtx.golden.json index e316d4c3797f..06a532d82147 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4742.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4742.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A computer account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nComputer Account That Was Changed:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t-\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x85\n\tNew UAC Value:\t\t0x84\n\tUser Account Control:\t\n\t\tAccount Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A computer account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nComputer Account That Was Changed:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t-\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x85\n\tNew UAC Value:\t\t0x84\n\tUser Account Control:\t\n\t\tAccount Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -45,7 +44,7 @@ "TargetDomainName": "TEST", "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", "TargetUserName": "TESTCOMPUTEROBJ$", - "UserAccountControl": "\n\t\t%%2048", + "UserAccountControl": "\n\t\tAccount Enabled", "UserParameters": "-", "UserPrincipalName": "-", "UserWorkstations": "-" @@ -61,7 +60,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3699934, "task": "Computer Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4743.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4743.evtx.golden.json index 548e0508f842..46a1de5516fd 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4743.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4743.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A computer account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nTarget Computer:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A computer account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nTarget Computer:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -40,7 +39,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3699966, "task": "Computer Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4744.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4744.evtx.golden.json index 60e7ce718692..74119ecb0a66 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4744.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4744.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-disabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestdistlocal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestdistlocal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -42,7 +41,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3699973, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4745.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4745.evtx.golden.json index a16ffee64d5b..0ba4a2f63bcd 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4745.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4745.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-disabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestdistlocal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestdistlocal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -42,7 +41,7 @@ "id": 1076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3700000, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4746.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4746.evtx.golden.json index c6db9e34a738..ca4856f1839a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4746.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4746.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A member was added to a security-disabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was added to a security-disabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -42,7 +41,7 @@ "id": 1076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3700022, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4747.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4747.evtx.golden.json index b023a51a0b8c..1e7a95a4f54a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4747.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4747.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A member was removed from a security-disabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was removed from a security-disabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -42,7 +41,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3700064, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4748.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4748.evtx.golden.json index 8128bb7e5b43..230ecaa1d8a2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4748.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4748.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-disabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -40,7 +39,7 @@ "id": 1076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3707490, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4749.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4749.evtx.golden.json index befee4e3a708..5e3245c0c67b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4749.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4749.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-disabled global group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestglobal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled global group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestglobal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -42,7 +41,7 @@ "id": 1348 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3707497, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4750.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4750.evtx.golden.json index 1208e6795fb0..2852ae05b2e6 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4750.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4750.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-disabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestglobal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestglobal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -42,7 +41,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3707550, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4751.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4751.evtx.golden.json index 8e5bbf3ec05e..678ce56d9c74 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4751.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4751.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A member was added to a security-disabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was added to a security-disabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -42,7 +41,7 @@ "id": 1076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3707667, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4752.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4752.evtx.golden.json index beccfa4f1e95..37144f6c2880 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4752.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4752.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A member was removed from a security-disabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was removed from a security-disabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -42,7 +41,7 @@ "id": 1076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3707686, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4753.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4753.evtx.golden.json index 155347456ddf..f1aaa165bf07 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4753.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4753.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-disabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -40,7 +39,7 @@ "id": 1076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3707709, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4759.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4759.evtx.golden.json index 0767acdc651f..28d1a5ecacf8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4759.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4759.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-disabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestuni\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestuni\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -42,7 +41,7 @@ "id": 1348 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3707737, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4760.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4760.evtx.golden.json index 89f70d8faca4..cbc9ca990fb4 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4760.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4760.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-disabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestuni2\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestuni2\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -42,7 +41,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3707745, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4761.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4761.evtx.golden.json index c7935e8ace1c..37d47817526e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4761.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4761.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A member was added to a security-disabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was added to a security-disabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -42,7 +41,7 @@ "id": 1348 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3707755, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4762.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4762.evtx.golden.json index 60ea376b6851..931a505e785a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4762.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4762.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A member was removed from a security-disabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was removed from a security-disabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -42,7 +41,7 @@ "id": 1348 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3707841, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4763.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4763.evtx.golden.json index 3a794e4426dc..144f5cc0c0db 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4763.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4763.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-disabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -40,7 +39,7 @@ "id": 1348 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3707847, "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4817_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4817_WindowsSrv2016.evtx.golden.json index 1dc963897690..6ce5f77ed5cd 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4817_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4817_WindowsSrv2016.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "Auditing settings on object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tLSA\n\tObject Type:\tGlobal SACL\n\tObject Name:\tFile\n\nAuditing Settings:\n\tOriginal Security Descriptor:\t\n\tNew Security Descriptor:\t\tS:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", + "message": "Auditing settings on object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nObject:\n\tObject Server:\tLSA\n\tObject Type:\tGlobal SACL\n\tObject Name:\tFile\n\nAuditing Settings:\n\tOriginal Security Descriptor:\t\n\tNew Security Descriptor:\t\tS:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", "winlog": { - "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}", - "api": "wineventlog", + "activity_id": "{DFCD2C2A-7481-0000-682C-CDDF8174D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -41,7 +40,7 @@ "id": 3052 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 114278, "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4902_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4902_WindowsSrv2016.evtx.golden.json index c2fca0a8ae7c..2ac44685ad3f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4902_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4902_WindowsSrv2016.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "The Per-user audit policy table was created.\n\nNumber of Elements:\t0\nPolicy ID:\t0x9FD2", + "message": "The Per-user audit policy table was created.\n\nNumber of Elements:\t0\nPolicy ID:\t0x9fd2", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -34,7 +33,7 @@ "id": 832 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 140273, "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4904_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4904_WindowsSrv2016.evtx.golden.json index c393596c326d..74f29e20ecb6 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4904_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4904_WindowsSrv2016.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "An attempt was made to register a security event source.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nProcess:\n\tProcess ID:\t0xe18\n\tProcess Name:\tC:\\Windows\\System32\\inetsrv\\inetinfo.exe\n\nEvent Source:\n\tSource Name:\tIIS-METABASE\n\tEvent Source ID:\t0x460422", + "message": "An attempt was made to register a security event source.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nProcess:\n\tProcess ID:\t0xe18\n\tProcess Name:\tC:\\Windows\\System32\\inetsrv\\inetinfo.exe\n\nEvent Source:\n\tSource Name:\tIIS-METABASE\n\tEvent Source ID:\t0x460422", "winlog": { - "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", - "api": "wineventlog", + "activity_id": "{DAB46F85-75EE-0000-C36F-B4DAEE75D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -41,7 +40,7 @@ "id": 824 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 146939, "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4905_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4905_WindowsSrv2016.evtx.golden.json index b6121ab0db86..be19683c4572 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4905_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4905_WindowsSrv2016.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "An attempt was made to unregister a security event source.\n\nSubject\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nProcess:\n\tProcess ID:\t0x1364\n\tProcess Name:\t-\n\nEvent Source:\n\tSource Name:\tIIS-METABASE\n\tEvent Source ID:\t0x457B22", + "message": "An attempt was made to unregister a security event source.\n\nSubject\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nProcess:\n\tProcess ID:\t0x1364\n\tProcess Name:\t-\n\nEvent Source:\n\tSource Name:\tIIS-METABASE\n\tEvent Source ID:\t0x457b22", "winlog": { - "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", - "api": "wineventlog", + "activity_id": "{DAB46F85-75EE-0000-C36F-B4DAEE75D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -41,7 +40,7 @@ "id": 824 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 146938, "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4906_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4906_WindowsSrv2016.evtx.golden.json index c228cc42f275..5c3663babe41 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4906_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4906_WindowsSrv2016.evtx.golden.json @@ -16,7 +16,6 @@ }, "message": "The CrashOnAuditFail value has changed.\n\nNew Value of CrashOnAuditFail:\t1", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -33,7 +32,7 @@ "id": 804 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 123786, "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4907_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4907_WindowsSrv2016.evtx.golden.json index 2d95363f93e7..ac7cf48ba491 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4907_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4907_WindowsSrv2016.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "Auditing settings on object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1\n\tHandle ID:\t0x93c\n\nProcess Information:\n\tProcess ID:\t0x10cc\n\tProcess Name:\tC:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe\n\nAuditing Settings:\n\tOriginal Security Descriptor:\t\n\tNew Security Descriptor:\t\tS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", + "message": "Auditing settings on object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1\n\tHandle ID:\t0x93c\n\nProcess Information:\n\tProcess ID:\t0x10cc\n\tProcess Name:\tC:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe\n\nAuditing Settings:\n\tOriginal Security Descriptor:\t\n\tNew Security Descriptor:\t\tS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -43,7 +42,7 @@ "id": 408 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 146933, "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/4908_WindowsSrv2016.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/4908_WindowsSrv2016.evtx.golden.json index 283fe0bf3ea1..c82820f101e6 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/4908_WindowsSrv2016.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/4908_WindowsSrv2016.evtx.golden.json @@ -16,7 +16,6 @@ }, "message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -33,7 +32,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 140274, "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4673.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4673.evtx.golden.json index 60cc5ec5249e..f49e76683340 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4673.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4673.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A privileged service was called.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tDC_TEST2K12$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nService:\n\tServer:\tNT Local Security Authority / Authentication Service\n\tService Name:\tLsaRegisterLogonProcess()\n\nProcess:\n\tProcess ID:\t0x1f0\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\n\nService Request Information:\n\tPrivileges:\t\tSeTcbPrivilege", + "message": "A privileged service was called.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tDC_TEST2K12$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nService:\n\tServer:\tNT Local Security Authority / Authentication Service\n\tService Name:\tLsaRegisterLogonProcess()\n\nProcess:\n\tProcess ID:\t0x1f0\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\n\nService Request Information:\n\tPrivileges:\t\tSeTcbPrivilege", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -41,7 +40,7 @@ "id": 504 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5109160, "task": "Sensitive Privilege Use" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4674.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4674.evtx.golden.json index d468e326678b..2817db725364 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4674.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4674.evtx.golden.json @@ -14,13 +14,12 @@ "log": { "level": "information" }, - "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x8AA365B\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1ee0\n\nProcess Information:\n\tProcess ID:\t0x374\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\t\t\t\t\n\tPrivileges:\t\tSeSecurityPrivilege", + "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x8aa365b\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1ee0\n\nProcess Information:\n\tProcess ID:\t0x374\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\t\t\t\t\n\tPrivileges:\t\tSeSecurityPrivilege", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { - "AccessMask": "%%1538\n\t\t\t\t%%1542\n\t\t\t\t", + "AccessMask": "READ_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\t\t\t\t", "HandleId": "0x1ee0", "ObjectName": "C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor", "ObjectServer": "Security", @@ -44,7 +43,7 @@ "id": 504 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5109140, "task": "Sensitive Privilege Use" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4697.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4697.evtx.golden.json index 875004f10778..ee731f761d8a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4697.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4697.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4C323\n\nService Information:\n\tService Name: \t\twinlogbeat\n\tService File Name:\t\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true\n\tService Type: \t\t0x10\n\tService Start Type:\t2\n\tService Account: \t\tLocalSystem", + "message": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4c323\n\nService Information:\n\tService Name: \t\twinlogbeat\n\tService File Name:\t\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true\n\tService Type: \t\t0x10\n\tService Start Type:\t2\n\tService Account: \t\tLocalSystem", "winlog": { - "activity_id": "{74b64d41-08ce-0000-454f-b674ce08d601}", - "api": "wineventlog", + "activity_id": "{74B64D41-08CE-0000-454F-B674CE08D601}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -42,7 +41,7 @@ "id": 2492 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 90108, "task": "Security System Extension" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4698.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4698.evtx.golden.json index 20549b99df43..cc482d8e8203 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4698.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4698.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A scheduled task was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "message": "A scheduled task was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60d1ca6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -38,7 +37,7 @@ "id": 3684 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5043782, "task": "Other Object Access Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4699.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4699.evtx.golden.json index 892782dc7dd2..1776a70ae9c8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4699.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4699.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A scheduled task was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "message": "A scheduled task was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60d1ca6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -38,7 +37,7 @@ "id": 3684 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5043801, "task": "Other Object Access Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4700.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4700.evtx.golden.json index 4bca5b681ef1..c3664747de8f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4700.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4700.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A scheduled task was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "message": "A scheduled task was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60d1ca6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -38,7 +37,7 @@ "id": 3684 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5043792, "task": "Other Object Access Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4701.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4701.evtx.golden.json index 73bd8327834d..570bd9fda3ae 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4701.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4701.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A scheduled task was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003efalse\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "message": "A scheduled task was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60d1ca6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003efalse\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -38,7 +37,7 @@ "id": 3684 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5043789, "task": "Other Object Access Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4702.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4702.evtx.golden.json index d1de2298e1f9..3ffeeac1eef6 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4702.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4702.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A scheduled task was updated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask New Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "message": "A scheduled task was updated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60d1ca6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask New Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -38,7 +37,7 @@ "id": 1284 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5043795, "task": "Other Object Access Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4768.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4768.evtx.golden.json index 1ca523c93488..5f6609592a8f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4768.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4768.evtx.golden.json @@ -16,7 +16,6 @@ }, "message": "A Kerberos authentication ticket (TGT) was requested.\n\nAccount Information:\n\tAccount Name:\t\tat_adm\n\tSupplied Realm Name:\tTEST.SAAS\n\tUser ID:\t\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\nService Information:\n\tService Name:\t\tkrbtgt\n\tService ID:\t\tS-1-5-21-1717121054-434620538-60925301-502\n\nNetwork Information:\n\tClient Address:\t\t::1\n\tClient Port:\t\t0\n\nAdditional Information:\n\tTicket Options:\t\t0x40810010\n\tResult Code:\t\t0x0\n\tTicket Encryption Type:\t0x12\n\tPre-Authentication Type:\t2\n\nCertificate Information:\n\tCertificate Issuer Name:\t\t\n\tCertificate Serial Number:\t\n\tCertificate Thumbprint:\t\t\n\nCertificate information is only provided if a certificate was used for pre-authentication.\n\nPre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -43,7 +42,7 @@ "id": 2868 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5040235, "task": "Kerberos Authentication Service" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4769.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4769.evtx.golden.json index 9f66d92329de..b30ce1be312a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4769.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4769.evtx.golden.json @@ -14,15 +14,14 @@ "log": { "level": "information" }, - "message": "A Kerberos service ticket was requested.\n\nAccount Information:\n\tAccount Name:\t\tat_adm@TEST.SAAS\n\tAccount Domain:\t\tTEST.SAAS\n\tLogon GUID:\t\t{46f85809-d26e-96f5-fbf2-73bd761a2d68}\n\nService Information:\n\tService Name:\t\tDC_TEST2K12$\n\tService ID:\t\tS-1-5-21-1717121054-434620538-60925301-1110\n\nNetwork Information:\n\tClient Address:\t\t::1\n\tClient Port:\t\t0\n\nAdditional Information:\n\tTicket Options:\t\t0x40810000\n\tTicket Encryption Type:\t0x12\n\tFailure Code:\t\t0x0\n\tTransited Services:\t-\n\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\n\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\n\nTicket options, encryption types, and failure codes are defined in RFC 4120.", + "message": "A Kerberos service ticket was requested.\n\nAccount Information:\n\tAccount Name:\t\tat_adm@TEST.SAAS\n\tAccount Domain:\t\tTEST.SAAS\n\tLogon GUID:\t\t{46F85809-D26E-96F5-FBF2-73BD761A2D68}\n\nService Information:\n\tService Name:\t\tDC_TEST2K12$\n\tService ID:\t\tS-1-5-21-1717121054-434620538-60925301-1110\n\nNetwork Information:\n\tClient Address:\t\t::1\n\tClient Port:\t\t0\n\nAdditional Information:\n\tTicket Options:\t\t0x40810000\n\tTicket Encryption Type:\t0x12\n\tFailure Code:\t\t0x0\n\tTransited Services:\t-\n\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\n\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\n\nTicket options, encryption types, and failure codes are defined in RFC 4120.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { "IpAddress": "::1", "IpPort": "0", - "LogonGuid": "{46f85809-d26e-96f5-fbf2-73bd761a2d68}", + "LogonGuid": "{46F85809-D26E-96F5-FBF2-73BD761A2D68}", "ServiceName": "DC_TEST2K12$", "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-1110", "Status": "0x0", @@ -43,7 +42,7 @@ "id": 2868 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5040236, "task": "Kerberos Service Ticket Operations" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4770.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4770.evtx.golden.json index 120b95473677..06beb67cb296 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4770.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4770.evtx.golden.json @@ -16,7 +16,6 @@ }, "message": "A Kerberos service ticket was renewed.\n\nAccount Information:\n\tAccount Name:\t\tDC_TEST2K12$@TEST.SAAS\n\tAccount Domain:\t\tTEST.SAAS\n\nService Information:\n\tService Name:\t\tkrbtgt\n\tService ID:\t\tS-1-5-21-1717121054-434620538-60925301-502\n\nNetwork Information:\n\tClient Address:\t\t::1\n\tClient Port:\t\t0\n\nAdditional Information:\n\tTicket Options:\t\t0x10002\n\tTicket Encryption Type:\t0x12\n\nTicket options and encryption types are defined in RFC 4120.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -40,7 +39,7 @@ "id": 4468 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5039598, "task": "Kerberos Service Ticket Operations" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4771.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4771.evtx.golden.json index d206f98b3a77..75b9cfd1843f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4771.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4771.evtx.golden.json @@ -16,7 +16,6 @@ }, "message": "Kerberos pre-authentication failed.\n\nAccount Information:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-3057\n\tAccount Name:\t\tMPUIG\n\nService Information:\n\tService Name:\t\tkrbtgt/test.saas\n\nNetwork Information:\n\tClient Address:\t\t::ffff:192.168.5.44\n\tClient Port:\t\t53366\n\nAdditional Information:\n\tTicket Options:\t\t0x40810010\n\tFailure Code:\t\t0x12\n\tPre-Authentication Type:\t0\n\nCertificate Information:\n\tCertificate Issuer Name:\t\t\n\tCertificate Serial Number: \t\n\tCertificate Thumbprint:\t\t\n\nCertificate information is only provided if a certificate was used for pre-authentication.\n\nPre-authentication types, ticket options and failure codes are defined in RFC 4120.\n\nIf the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -40,7 +39,7 @@ "id": 4552 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5027836, "task": "Kerberos Authentication Service" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4776.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4776.evtx.golden.json index 618462ebfcc2..00b40eec73ff 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4776.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4776.evtx.golden.json @@ -16,7 +16,6 @@ }, "message": "The computer attempted to validate the credentials for an account.\n\nAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\nLogon Account:\tat_adm\nSource Workstation:\tEQP01777\nError Code:\t0x0", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -36,7 +35,7 @@ "id": 1864 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5040222, "task": "Credential Validation" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4778.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4778.evtx.golden.json index 6252de2b2488..0b13bd536d1c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4778.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4778.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A session was reconnected to a Window Station.\n\nSubject:\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x76FEA87\n\nSession:\n\tSession Name:\t\tRDP-Tcp#127\n\nAdditional Information:\n\tClient Name:\t\tEQP01777\n\tClient Address:\t\t10.100.150.9\n\nThis event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching.", + "message": "A session was reconnected to a Window Station.\n\nSubject:\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x76fea87\n\nSession:\n\tSession Name:\t\tRDP-Tcp#127\n\nAdditional Information:\n\tClient Name:\t\tEQP01777\n\tClient Address:\t\t10.100.150.9\n\nThis event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -38,7 +37,7 @@ "id": 4184 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5101675, "task": "Other Logon/Logoff Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4779.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4779.evtx.golden.json index 32121d9b7fbf..8f52419bda43 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4779.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012_4779.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A session was disconnected from a Window Station.\n\nSubject:\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CCB\n\nSession:\n\tSession Name:\t\tRDP-Tcp#116\n\nAdditional Information:\n\tClient Name:\t\tEQP01777\n\tClient Address:\t\t10.100.150.17\n\n\nThis event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.", + "message": "A session was disconnected from a Window Station.\n\nSubject:\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60d1ccb\n\nSession:\n\tSession Name:\t\tRDP-Tcp#116\n\nAdditional Information:\n\tClient Name:\t\tEQP01777\n\tClient Address:\t\t10.100.150.17\n\n\nThis event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -38,7 +37,7 @@ "id": 3852 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5069070, "task": "Other Logon/Logoff Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012r2-logon.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012r2-logon.evtx.golden.json index cd8ab55a9fe8..ef28953abeb7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012r2-logon.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2012r2-logon.evtx.golden.json @@ -14,14 +14,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -52,7 +51,7 @@ "id": 536 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1535, "task": "Logon", @@ -74,14 +73,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -112,7 +110,7 @@ "id": 556 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1538, "task": "Logon", @@ -134,14 +132,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008E\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1c0\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t127.0.0.1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008e\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1c0\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t127.0.0.1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "127.0.0.1", "IpPort": "0", "KeyLength": "0", @@ -173,7 +170,7 @@ "id": 556 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1542, "task": "Logon", @@ -195,14 +192,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -233,7 +229,7 @@ "id": 556 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1545, "task": "Logon", @@ -255,14 +251,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x129F1\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V1\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x129f1\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V1\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -293,7 +288,7 @@ "id": 556 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1547, "task": "Logon", @@ -315,14 +310,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x28D31\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x28d31\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "128", @@ -353,7 +347,7 @@ "id": 556 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1550, "task": "Logon", @@ -375,14 +369,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x29F0F\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x29f0f\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "128", @@ -413,7 +406,7 @@ "id": 548 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1553, "task": "Logon", @@ -435,14 +428,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x2A362\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x2a362\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "128", @@ -473,7 +465,7 @@ "id": 548 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1556, "task": "Logon", @@ -495,14 +487,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x324F8\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t127.0.0.1\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x324f8\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t127.0.0.1\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "128", @@ -534,7 +525,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1561, "task": "Logon", @@ -556,14 +547,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-2\n\tAccount Name:\t\tDWM-2\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x33444\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-2\n\tAccount Name:\t\tDWM-2\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x33444\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -594,7 +584,7 @@ "id": 548 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1563, "task": "Logon", @@ -616,14 +606,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t10\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x3444F\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t10.0.2.2\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t10\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x3444f\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t10.0.2.2\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "10.0.2.2", "IpPort": "0", "KeyLength": "0", @@ -655,7 +644,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1567, "task": "Logon", @@ -677,14 +666,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-3\n\tAccount Name:\t\tDWM-3\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x357FD\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x88c\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-3\n\tAccount Name:\t\tDWM-3\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x357fd\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x88c\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -715,7 +703,7 @@ "id": 556 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1570, "task": "Logon", @@ -737,14 +725,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -775,7 +762,7 @@ "id": 1132 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1574, "task": "Logon", @@ -797,14 +784,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -835,7 +821,7 @@ "id": 1132 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1576, "task": "Logon", @@ -857,14 +843,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -895,7 +880,7 @@ "id": 504 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1578, "task": "Logon", @@ -917,14 +902,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -955,7 +939,7 @@ "id": 1132 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1581, "task": "Logon", @@ -977,14 +961,13 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -1015,7 +998,7 @@ "id": 344 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1583, "task": "Logon", @@ -1037,14 +1020,13 @@ "log": { "level": "information" }, - "message": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008E\n\nLogon Type:\t\t\t2\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tbosch\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x344\n\tCaller Process Name:\tC:\\Windows\\System32\\svchost.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t::1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tseclogo\n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008e\n\nLogon Type:\t\t\t2\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tbosch\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xc000006d\n\tSub Status:\t\t0xc0000064\n\nProcess Information:\n\tCaller Process ID:\t0x344\n\tCaller Process Name:\tC:\\Windows\\System32\\svchost.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t::1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tseclogo\n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "FailureReason": "%%2313", + "FailureReason": "Unknown user name or bad password.", "IpAddress": "::1", "IpPort": "0", "KeyLength": "0", @@ -1076,7 +1058,7 @@ "id": 2756 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 1585, "task": "Logon" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016-4672.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016-4672.evtx.golden.json index ff7be09f6f28..33b878785264 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016-4672.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016-4672.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1766348727-1038078804-3833492317-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2016\n\tLogon ID:\t\t0x76A087\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1766348727-1038078804-3833492317-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2016\n\tLogon ID:\t\t0x76a087\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", "winlog": { - "activity_id": "{3be96152-eefc-0002-c061-e93bfceed301}", - "api": "wineventlog", + "activity_id": "{3BE96152-EEFC-0002-C061-E93BFCEED301}", "channel": "Security", "computer_name": "vagrant-2016", "event_data": { @@ -38,7 +37,7 @@ "id": 636 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 143340, "task": "Special Logon" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016-logoff.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016-logoff.evtx.golden.json index 7832330412fc..1ceef082eb4b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016-logoff.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016-logoff.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x767A77\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x767a77\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -37,7 +36,7 @@ "id": 540 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 485, "task": "Logoff" @@ -58,9 +57,8 @@ "log": { "level": "information" }, - "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x104A4A6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x104a4a6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -81,7 +79,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 747, "task": "Logoff" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4720_Account_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4720_Account_Created.evtx.golden.json index f623d544d0ea..fda60c27f28e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4720_Account_Created.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4720_Account_Created.evtx.golden.json @@ -14,27 +14,26 @@ "log": { "level": "information" }, - "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", + "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { - "AccountExpires": "%%1794", + "AccountExpires": "\u003cnever\u003e", "AllowedToDelegateTo": "-", - "DisplayName": "%%1793", - "HomeDirectory": "%%1793", - "HomePath": "%%1793", - "LogonHours": "%%1797", + "DisplayName": "\u003cvalue not set\u003e", + "HomeDirectory": "\u003cvalue not set\u003e", + "HomePath": "\u003cvalue not set\u003e", + "LogonHours": "All", "NewUacValue": "0x15", "OldUacValue": "0x0", - "PasswordLastSet": "%%1794", + "PasswordLastSet": "\u003cnever\u003e", "PrimaryGroupId": "513", "PrivilegeList": "-", - "ProfilePath": "%%1793", + "ProfilePath": "\u003cvalue not set\u003e", "SamAccountName": "elastictest1", - "ScriptPath": "%%1793", + "ScriptPath": "\u003cvalue not set\u003e", "SidHistory": "-", "SubjectDomainName": "WIN-41OB2LO92CR", "SubjectLogonId": "0x264b2", @@ -43,10 +42,10 @@ "TargetDomainName": "WIN-41OB2LO92CR", "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", "TargetUserName": "elastictest1", - "UserAccountControl": "\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084", - "UserParameters": "%%1793", + "UserAccountControl": "\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled", + "UserParameters": "\u003cvalue not set\u003e", "UserPrincipalName": "-", - "UserWorkstations": "%%1793" + "UserWorkstations": "\u003cvalue not set\u003e" }, "event_id": "4720", "keywords": [ @@ -59,7 +58,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2751, "task": "User Account Management" @@ -80,27 +79,26 @@ "log": { "level": "information" }, - "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", + "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { - "AccountExpires": "%%1794", + "AccountExpires": "\u003cnever\u003e", "AllowedToDelegateTo": "-", - "DisplayName": "%%1793", - "HomeDirectory": "%%1793", - "HomePath": "%%1793", - "LogonHours": "%%1797", + "DisplayName": "\u003cvalue not set\u003e", + "HomeDirectory": "\u003cvalue not set\u003e", + "HomePath": "\u003cvalue not set\u003e", + "LogonHours": "All", "NewUacValue": "0x15", "OldUacValue": "0x0", - "PasswordLastSet": "%%1794", + "PasswordLastSet": "\u003cnever\u003e", "PrimaryGroupId": "513", "PrivilegeList": "-", - "ProfilePath": "%%1793", + "ProfilePath": "\u003cvalue not set\u003e", "SamAccountName": "audittest0609", - "ScriptPath": "%%1793", + "ScriptPath": "\u003cvalue not set\u003e", "SidHistory": "-", "SubjectDomainName": "WIN-41OB2LO92CR", "SubjectLogonId": "0x264b2", @@ -109,10 +107,10 @@ "TargetDomainName": "WIN-41OB2LO92CR", "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", "TargetUserName": "audittest0609", - "UserAccountControl": "\n\t\t%%2080\n\t\t%%2082\n\t\t%%2084", - "UserParameters": "%%1793", + "UserAccountControl": "\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled", + "UserParameters": "\u003cvalue not set\u003e", "UserPrincipalName": "-", - "UserWorkstations": "%%1793" + "UserWorkstations": "\u003cvalue not set\u003e" }, "event_id": "4720", "keywords": [ @@ -125,7 +123,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2775, "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4722_Account_Enabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4722_Account_Enabled.evtx.golden.json index 7a6369d697be..6357760b3f1b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4722_Account_Enabled.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4722_Account_Enabled.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -40,7 +39,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2815, "task": "User Account Management" @@ -61,10 +60,9 @@ "log": { "level": "information" }, - "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -87,7 +85,7 @@ "id": 532 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2826, "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4723_Password_Change.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4723_Password_Change.evtx.golden.json index 45bda06e0971..d2b5f441ff7f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4723_Password_Change.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4723_Password_Change.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", + "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -41,7 +40,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2838, "task": "User Account Management" @@ -62,10 +61,9 @@ "log": { "level": "information" }, - "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", + "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -89,7 +87,7 @@ "id": 532 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2839, "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4724_Password_Reset.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4724_Password_Reset.evtx.golden.json index c3121ff056bc..c337f214f09c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4724_Password_Reset.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4724_Password_Reset.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -40,7 +39,7 @@ "id": 816 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2762, "task": "User Account Management" @@ -61,10 +60,9 @@ "log": { "level": "information" }, - "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -87,7 +85,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2787, "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4725_Account_Disabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4725_Account_Disabled.evtx.golden.json index c36a9a4b9552..43020eadac01 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4725_Account_Disabled.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4725_Account_Disabled.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -40,7 +39,7 @@ "id": 532 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2810, "task": "User Account Management" @@ -61,10 +60,9 @@ "log": { "level": "information" }, - "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -87,7 +85,7 @@ "id": 532 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2820, "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4726_Account_Deleted.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4726_Account_Deleted.evtx.golden.json index 3cc6039b21f6..d8c54dec4916 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4726_Account_Deleted.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4726_Account_Deleted.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1001\n\tAccount Name:\t\taudittest23\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", + "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1001\n\tAccount Name:\t\taudittest23\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -41,7 +40,7 @@ "id": 1980 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2851, "task": "User Account Management" @@ -62,10 +61,9 @@ "log": { "level": "information" }, - "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", + "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -89,7 +87,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2857, "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4727.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4727.evtx.golden.json index 718d9b0dfebd..a2da96289a21 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4727.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4727.evtx.golden.json @@ -16,7 +16,6 @@ }, "message": "A security-enabled global group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x27438\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1110\n\tGroup Name:\t\tDnsUpdateProxy\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\tDnsUpdateProxy\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -42,7 +41,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4105, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4728.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4728.evtx.golden.json index ee6e66a9c55e..ff167960762d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4728.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4728.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A member was added to a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was added to a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -42,7 +41,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4657, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4729.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4729.evtx.golden.json index a0a65b40c8c3..e8af0f3985f6 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4729.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4729.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A member was removed from a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was removed from a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -42,7 +41,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4665, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4730.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4730.evtx.golden.json index 874ec3c59715..d11f2bb7362a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4730.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4730.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-enabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nDeleted Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nDeleted Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -40,7 +39,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4670, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4731.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4731.evtx.golden.json index 97a3216b486a..8aade62ca129 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4731.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4731.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-enabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\ttest_group1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\ttest_group1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -42,7 +41,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4569, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4732.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4732.evtx.golden.json index 5302a5370192..e37edc384edb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4732.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4732.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -42,7 +41,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4625, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4733.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4733.evtx.golden.json index 876f22bf3846..2fb13f6a5518 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4733.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4733.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A member was removed from a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was removed from a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -42,7 +41,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4627, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4734.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4734.evtx.golden.json index 8a513e05f138..5256505b1aa8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4734.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4734.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-enabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -40,7 +39,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4630, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4735.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4735.evtx.golden.json index 067b2c679473..fb3e56d249bc 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4735.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4735.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-enabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\ttest_group1v1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\ttest_group1v1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -42,7 +41,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4628, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4737.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4737.evtx.golden.json index 1b8c86523b64..9a5416627eb5 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4737.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4737.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-enabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -42,7 +41,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4668, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4738_Account_Changed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4738_Account_Changed.evtx.golden.json index 067f7666da56..4860a435fc93 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4738_Account_Changed.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4738_Account_Changed.evtx.golden.json @@ -14,28 +14,27 @@ "log": { "level": "information" }, - "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\telastictest1\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:30:28\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x210\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t-\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\telastictest1\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:30:28\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x210\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t-\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { - "AccountExpires": "%%1794", + "AccountExpires": "\u003cnever\u003e", "AllowedToDelegateTo": "-", "DisplayName": "elastictest1", "Dummy": "-", - "HomeDirectory": "%%1793", - "HomePath": "%%1793", - "LogonHours": "%%1797", + "HomeDirectory": "\u003cvalue not set\u003e", + "HomePath": "\u003cvalue not set\u003e", + "LogonHours": "All", "NewUacValue": "0x210", "OldUacValue": "0x210", "PasswordLastSet": "6/9/2019 10:30:28", "PrimaryGroupId": "513", "PrivilegeList": "-", - "ProfilePath": "%%1793", + "ProfilePath": "\u003cvalue not set\u003e", "SamAccountName": "elastictest1", - "ScriptPath": "%%1793", + "ScriptPath": "\u003cvalue not set\u003e", "SidHistory": "-", "SubjectDomainName": "WIN-41OB2LO92CR", "SubjectLogonId": "0x264b2", @@ -45,9 +44,9 @@ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", "TargetUserName": "elastictest1", "UserAccountControl": "-", - "UserParameters": "%%1793", + "UserParameters": "\u003cvalue not set\u003e", "UserPrincipalName": "-", - "UserWorkstations": "%%1793" + "UserWorkstations": "\u003cvalue not set\u003e" }, "event_id": "4738", "keywords": [ @@ -60,7 +59,7 @@ "id": 1980 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2862, "task": "User Account Management" @@ -81,28 +80,27 @@ "log": { "level": "information" }, - "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\taudittest0609s\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:25:21\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x10\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t\n\t\t'Don't Expire Password' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\taudittest0609s\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:25:21\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x10\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t\n\t\t'Don't Expire Password' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { - "AccountExpires": "%%1794", + "AccountExpires": "\u003cnever\u003e", "AllowedToDelegateTo": "-", "DisplayName": "audittest0609s", "Dummy": "-", - "HomeDirectory": "%%1793", - "HomePath": "%%1793", - "LogonHours": "%%1797", + "HomeDirectory": "\u003cvalue not set\u003e", + "HomePath": "\u003cvalue not set\u003e", + "LogonHours": "All", "NewUacValue": "0x210", "OldUacValue": "0x10", "PasswordLastSet": "6/9/2019 10:25:21", "PrimaryGroupId": "513", "PrivilegeList": "-", - "ProfilePath": "%%1793", + "ProfilePath": "\u003cvalue not set\u003e", "SamAccountName": "audittest0609", - "ScriptPath": "%%1793", + "ScriptPath": "\u003cvalue not set\u003e", "SidHistory": "-", "SubjectDomainName": "WIN-41OB2LO92CR", "SubjectLogonId": "0x264b2", @@ -111,10 +109,10 @@ "TargetDomainName": "WIN-41OB2LO92CR", "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", "TargetUserName": "audittest0609", - "UserAccountControl": "\n\t\t%%2089", - "UserParameters": "%%1793", + "UserAccountControl": "\n\t\t'Don't Expire Password' - Enabled", + "UserParameters": "\u003cvalue not set\u003e", "UserPrincipalName": "-", - "UserWorkstations": "%%1793" + "UserWorkstations": "\u003cvalue not set\u003e" }, "event_id": "4738", "keywords": [ @@ -127,7 +125,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2866, "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4740_Account_Locked_Out.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4740_Account_Locked_Out.evtx.golden.json index 567fc6b451c3..c8cee446d919 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4740_Account_Locked_Out.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4740_Account_Locked_Out.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "A user account was locked out.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nAccount That Was Locked Out:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\nAdditional Information:\n\tCaller Computer Name:\tWIN-41OB2LO92CR", + "message": "A user account was locked out.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nAccount That Was Locked Out:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\nAdditional Information:\n\tCaller Computer Name:\tWIN-41OB2LO92CR", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -40,7 +39,7 @@ "id": 532 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2883, "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4754.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4754.evtx.golden.json index d0dab573e838..b8538350f6e3 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4754.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4754.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-enabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\tTest_group3\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\tTest_group3\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -42,7 +41,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4676, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4755.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4755.evtx.golden.json index e77ca5006b41..2c7c60ccc584 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4755.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4755.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-enabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -42,7 +41,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4685, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4756.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4756.evtx.golden.json index 8c3c76be483f..0e7311503e31 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4756.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4756.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A member was added to a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tAccount Name:\t\tTest_group3v2\n\tAccount Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was added to a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tAccount Name:\t\tTest_group3v2\n\tAccount Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -42,7 +41,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4684, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4757.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4757.evtx.golden.json index caf16c483e24..157a52f9ea25 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4757.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4757.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A member was removed from a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was removed from a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -42,7 +41,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4686, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4758.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4758.evtx.golden.json index 9eb30b447951..b7d50ccf8a7e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4758.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4758.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A security-enabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -40,7 +39,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4687, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4764.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4764.evtx.golden.json index d03794d48f38..c6918498ba67 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4764.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4764.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A group’s type was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nChange Type:\t\t\tSecurity Enabled Universal Group Changed to Security Enabled Global Group.\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A group’s type was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nChange Type:\t\t\tSecurity Enabled Universal Group Changed to Security Enabled Global Group.\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -41,7 +40,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 4669, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4767_Account_Unlocked.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4767_Account_Unlocked.evtx.golden.json index 78d7902fc751..c454e6c85174 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4767_Account_Unlocked.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4767_Account_Unlocked.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "A user account was unlocked.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "A user account was unlocked.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -40,7 +39,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2892, "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4781_Account_Renamed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4781_Account_Renamed.evtx.golden.json index 2895c8eb4239..9921528fd242 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4781_Account_Renamed.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4781_Account_Renamed.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest0609\n\tNew Account Name:\taudittest06\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest0609\n\tNew Account Name:\taudittest06\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -42,7 +41,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2873, "task": "User Account Management" @@ -63,10 +62,9 @@ "log": { "level": "information" }, - "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest06\n\tNew Account Name:\taudittest0609\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest06\n\tNew Account Name:\taudittest0609\n\nAdditional Information:\n\tPrivileges:\t\t-", "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -91,7 +89,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2875, "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4798.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4798.evtx.golden.json index 5cb8bf3e03e9..2666a73a60c9 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4798.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4798.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nProcess Information:\n\tProcess ID:\t\t0x3f0\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe", + "message": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nUser:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nProcess Information:\n\tProcess ID:\t\t0x3f0\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe", "winlog": { - "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", - "api": "wineventlog", + "activity_id": "{C3FF3C1C-7DC1-0000-233E-FFC3C17DD501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -42,7 +41,7 @@ "id": 1740 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 2996, "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4799.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4799.evtx.golden.json index 73e2d0b83f33..116716564e1a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4799.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4799.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "A security-enabled local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nProcess Information:\n\tProcess ID:\t\t0x494\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe", + "message": "A security-enabled local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nProcess Information:\n\tProcess ID:\t\t0x494\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe", "winlog": { - "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", - "api": "wineventlog", + "activity_id": "{C3FF3C1C-7DC1-0000-233E-FFC3C17DD501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -42,7 +41,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 3002, "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4964.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4964.evtx.golden.json index 917749bec457..794dc2ca04b2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4964.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2016_4964.evtx.golden.json @@ -14,10 +14,9 @@ "log": { "level": "information" }, - "message": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x1D22ED\n\tLogon GUID:\t{c25cdf73-2322-651f-f4fb-db862c0e03a8}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}", + "message": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x1d22ed\n\tLogon GUID:\t{C25CDF73-2322-651F-F4FB-DB862C0E03A8}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}", "winlog": { - "activity_id": "{af6b9825-ffd8-0000-2f9a-6bafd8ffd501}", - "api": "wineventlog", + "activity_id": "{AF6B9825-FFD8-0000-2F9A-6BAFD8FFD501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -28,7 +27,7 @@ "SubjectUserName": "WIN-41OB2LO92CR$", "SubjectUserSid": "S-1-5-18", "TargetDomainName": "WLBEAT", - "TargetLogonGuid": "{c25cdf73-2322-651f-f4fb-db862c0e03a8}", + "TargetLogonGuid": "{C25CDF73-2322-651F-F4FB-DB862C0E03A8}", "TargetLogonId": "0x1d22ed", "TargetUserName": "Administrator", "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" @@ -44,7 +43,7 @@ "id": 828 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 68259, "task": "Special Logon" @@ -65,10 +64,9 @@ "log": { "level": "information" }, - "message": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x7C0BE\n\tLogon GUID:\t{38fec9bc-577f-76f6-5d29-e0175ce19797}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-512}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-1007}", + "message": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x7c0be\n\tLogon GUID:\t{38FEC9BC-577F-76F6-5D29-E0175CE19797}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-512}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-1007}", "winlog": { - "activity_id": "{a22b4bf4-ffdc-0000-ee4d-2ba2dcffd501}", - "api": "wineventlog", + "activity_id": "{A22B4BF4-FFDC-0000-EE4D-2BA2DCFFD501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -79,7 +77,7 @@ "SubjectUserName": "WIN-41OB2LO92CR$", "SubjectUserSid": "S-1-5-18", "TargetDomainName": "WLBEAT", - "TargetLogonGuid": "{38fec9bc-577f-76f6-5d29-e0175ce19797}", + "TargetLogonGuid": "{38FEC9BC-577F-76F6-5D29-E0175CE19797}", "TargetLogonId": "0x7c0be", "TargetUserName": "Administrator", "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" @@ -95,7 +93,7 @@ "id": 2608 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 68620, "task": "Special Logon" diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2019_4688_Process_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2019_4688_Process_Created.evtx.golden.json index 1c49eefb4420..44ce122fab4f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2019_4688_Process_Created.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2019_4688_Process_Created.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A new process has been created.\n\nCreator Subject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nTarget Subject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nProcess Information:\n\tNew Process ID:\t\t0x11cc\n\tNew Process Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tToken Elevation Type:\t%%1937\n\tMandatory Label:\t\tS-1-16-12288\n\tCreator Process ID:\t0x122c\n\tCreator Process Name:\tC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\tProcess Command Line:\t\"C:\\Windows\\system32\\wevtutil.exe\" cl Security\n\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\n\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\n\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\n\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", + "message": "A new process has been created.\n\nCreator Subject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274a2\n\nTarget Subject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nProcess Information:\n\tNew Process ID:\t\t0x11cc\n\tNew Process Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tToken Elevation Type:\tTokenElevationTypeFull (2)\n\tMandatory Label:\t\tS-1-16-12288\n\tCreator Process ID:\t0x122c\n\tCreator Process Name:\tC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\tProcess Command Line:\t\"C:\\Windows\\system32\\wevtutil.exe\" cl Security\n\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\n\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\n\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\n\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant", "event_data": { @@ -34,7 +33,7 @@ "TargetLogonId": "0x0", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", - "TokenElevationType": "%%1937" + "TokenElevationType": "TokenElevationTypeFull (2)" }, "event_id": "4688", "keywords": [ @@ -47,7 +46,7 @@ "id": 5076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 5010, "task": "Process Creation", diff --git a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2019_4689_Process_Exited.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2019_4689_Process_Exited.evtx.golden.json index 2869ca32749e..c132c6ee3fa2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2019_4689_Process_Exited.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/collection/security-windows2019_4689_Process_Exited.evtx.golden.json @@ -14,9 +14,8 @@ "log": { "level": "information" }, - "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nProcess Information:\n\tProcess ID:\t0x1524\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274a2\n\nProcess Information:\n\tProcess ID:\t0x1524\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant", "event_data": { @@ -39,7 +38,7 @@ "id": 1168 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 7538, "task": "Process Termination" @@ -60,9 +59,8 @@ "log": { "level": "information" }, - "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274F1\n\nProcess Information:\n\tProcess ID:\t0xf94\n\tProcess Name:\tC:\\Windows\\System32\\taskhostw.exe\n\tExit Status:\t0x0", + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274f1\n\nProcess Information:\n\tProcess ID:\t0xf94\n\tProcess Name:\tC:\\Windows\\System32\\taskhostw.exe\n\tExit Status:\t0x0", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant", "event_data": { @@ -85,7 +83,7 @@ "id": 500 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 7542, "task": "Process Termination" @@ -106,9 +104,8 @@ "log": { "level": "information" }, - "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nProcess Information:\n\tProcess ID:\t0xac8\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274a2\n\nProcess Information:\n\tProcess ID:\t0xac8\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant", "event_data": { @@ -131,7 +128,7 @@ "id": 5636 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": 7544, "task": "Process Termination" diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-10.2-dns.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-10.2-dns.evtx.golden.json index fde0b84006f5..31dd88f1fa67 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-10.2-dns.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-10.2-dns.evtx.golden.json @@ -2,6 +2,7 @@ { "@timestamp": "2019-07-18T03:34:02.0252239Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -12,13 +13,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.239\nProcessGuid: {FA4A0DE6-E8A8-5D2F-0000-001094619900}\nProcessId: 0\nQueryName: go.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:23.223.14.67;\nImage: C:\\Program Files\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "ProcessGuid": "{FA4A0DE6-E8A8-5D2F-0000-001094619900}", "ProcessId": "356", "QueryName": "go.microsoft.com", "QueryResults": "type: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:23.223.14.67;", @@ -33,9 +34,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 66, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -48,6 +50,7 @@ { "@timestamp": "2019-07-18T03:34:02.0252377Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -58,13 +61,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.261\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: www.msn.com\nQueryStatus: 0\nQueryResults: type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "www.msn.com", "QueryResults": "type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;", @@ -79,9 +82,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 67, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -94,6 +98,7 @@ { "@timestamp": "2019-07-18T03:34:02.0252623Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -104,13 +109,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.449\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: static-global-s-msn-com.akamaized.net\nQueryStatus: 0\nQueryResults: type: 5 a1999.dscg2.akamai.net;::ffff:23.50.53.192;::ffff:23.50.53.195;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "static-global-s-msn-com.akamaized.net", "QueryResults": "type: 5 a1999.dscg2.akamai.net;::ffff:23.50.53.192;::ffff:23.50.53.195;", @@ -125,9 +130,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 68, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -140,6 +146,7 @@ { "@timestamp": "2019-07-18T03:34:02.0252736Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -150,13 +157,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.457\nProcessGuid: {FA4A0DE6-E8A8-5D2F-0000-001094619900}\nProcessId: 0\nQueryName: www.bing.com\nQueryStatus: 0\nQueryResults: type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\nImage: C:\\Program Files\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "ProcessGuid": "{FA4A0DE6-E8A8-5D2F-0000-001094619900}", "ProcessId": "356", "QueryName": "www.bing.com", "QueryResults": "type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;", @@ -171,9 +178,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 69, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -186,6 +194,7 @@ { "@timestamp": "2019-07-18T03:34:02.0252842Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -196,13 +205,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.494\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: linkmaker.itunes.apple.com\nQueryStatus: 0\nQueryResults: type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "linkmaker.itunes.apple.com", "QueryResults": "type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;", @@ -217,9 +226,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 70, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -232,6 +242,7 @@ { "@timestamp": "2019-07-18T03:34:02.0253173Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -242,13 +253,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.810\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: confiant-integrations.global.ssl.fastly.net\nQueryStatus: 0\nQueryResults: ::ffff:151.101.1.194;::ffff:151.101.65.194;::ffff:151.101.129.194;::ffff:151.101.193.194;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "confiant-integrations.global.ssl.fastly.net", "QueryResults": "::ffff:151.101.1.194;::ffff:151.101.65.194;::ffff:151.101.129.194;::ffff:151.101.193.194;", @@ -263,9 +274,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 71, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -278,6 +290,7 @@ { "@timestamp": "2019-07-18T03:34:02.0253304Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -288,13 +301,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.894\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: c.msn.com\nQueryStatus: 0\nQueryResults: type: 5 c.msn.com.nsatc.net;::ffff:20.36.253.92;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "c.msn.com", "QueryResults": "type: 5 c.msn.com.nsatc.net;::ffff:20.36.253.92;", @@ -309,9 +322,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 72, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -324,6 +338,7 @@ { "@timestamp": "2019-07-18T03:34:02.0253473Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -334,13 +349,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.948\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: c.bing.com\nQueryStatus: 0\nQueryResults: type: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:13.107.21.200;::ffff:204.79.197.200;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "c.bing.com", "QueryResults": "type: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:13.107.21.200;::ffff:204.79.197.200;", @@ -355,9 +370,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 73, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -370,6 +386,7 @@ { "@timestamp": "2019-07-18T03:34:03.0281901Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -380,13 +397,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.085\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: contextual.media.net\nQueryStatus: 0\nQueryResults: ::ffff:23.52.167.93;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "contextual.media.net", "QueryResults": "::ffff:23.52.167.93;", @@ -401,9 +418,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 74, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -416,6 +434,7 @@ { "@timestamp": "2019-07-18T03:34:03.0282747Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -426,13 +445,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.174\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: at.atwola.com\nQueryStatus: 0\nQueryResults: type: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:152.195.32.120;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "at.atwola.com", "QueryResults": "type: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:152.195.32.120;", @@ -447,9 +466,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 75, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -462,6 +482,7 @@ { "@timestamp": "2019-07-18T03:34:03.0283589Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -472,13 +493,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.274\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: m.adnxs.com\nQueryStatus: 0\nQueryResults: type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:204.13.192.56;::ffff:204.13.192.120;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "m.adnxs.com", "QueryResults": "type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:204.13.192.56;::ffff:204.13.192.120;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", @@ -493,9 +514,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 76, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -508,6 +530,7 @@ { "@timestamp": "2019-07-18T03:34:03.0284128Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -518,13 +541,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.291\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cms.analytics.yahoo.com\nQueryStatus: 0\nQueryResults: type: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:74.6.137.78;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "cms.analytics.yahoo.com", "QueryResults": "type: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:74.6.137.78;", @@ -539,9 +562,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 77, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -554,6 +578,7 @@ { "@timestamp": "2019-07-18T03:34:03.028501Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -564,13 +589,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.413\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cvision.media.net\nQueryStatus: 0\nQueryResults: type: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "cvision.media.net", "QueryResults": "type: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;", @@ -585,9 +610,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 78, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -600,6 +626,7 @@ { "@timestamp": "2019-07-18T03:34:03.0285856Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -610,13 +637,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.424\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: g.bing.com\nQueryStatus: 0\nQueryResults: type: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "g.bing.com", "QueryResults": "type: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;", @@ -631,9 +658,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 79, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -646,6 +674,7 @@ { "@timestamp": "2019-07-18T03:34:03.0289003Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -656,13 +685,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.427\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: lg3.media.net\nQueryStatus: 0\nQueryResults: ::ffff:23.52.167.93;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "lg3.media.net", "QueryResults": "::ffff:23.52.167.93;", @@ -677,9 +706,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 80, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -692,6 +722,7 @@ { "@timestamp": "2019-07-18T03:34:03.0290311Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -702,13 +733,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.469\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: service.sp.advertising.com\nQueryStatus: 0\nQueryResults: type: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:54.88.96.255;::ffff:34.233.100.168;::ffff:54.209.58.223;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "service.sp.advertising.com", "QueryResults": "type: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:54.88.96.255;::ffff:34.233.100.168;::ffff:54.209.58.223;", @@ -723,9 +754,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 81, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -738,6 +770,7 @@ { "@timestamp": "2019-07-18T03:34:03.0290984Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -748,13 +781,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.485\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sb.scorecardresearch.com\nQueryStatus: 0\nQueryResults: type: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:184.25.176.117;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "sb.scorecardresearch.com", "QueryResults": "type: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:184.25.176.117;", @@ -769,9 +802,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 82, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -784,6 +818,7 @@ { "@timestamp": "2019-07-18T03:34:03.0291129Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -794,13 +829,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.500\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: otf.msn.com\nQueryStatus: 0\nQueryResults: type: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:40.114.54.223;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "otf.msn.com", "QueryResults": "type: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:40.114.54.223;", @@ -815,9 +850,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 83, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -830,6 +866,7 @@ { "@timestamp": "2019-07-18T03:34:03.0291263Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -840,13 +877,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.580\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ping.chartbeat.net\nQueryStatus: 0\nQueryResults: ::ffff:35.171.101.225;::ffff:34.196.57.87;::ffff:34.194.164.46;::ffff:34.233.181.142;::ffff:34.194.167.169;::ffff:34.193.242.172;::ffff:34.234.152.11;::ffff:34.206.12.124;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ping.chartbeat.net", "QueryResults": "::ffff:35.171.101.225;::ffff:34.196.57.87;::ffff:34.194.164.46;::ffff:34.233.181.142;::ffff:34.194.167.169;::ffff:34.193.242.172;::ffff:34.234.152.11;::ffff:34.206.12.124;", @@ -861,9 +898,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 84, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -876,6 +914,7 @@ { "@timestamp": "2019-07-18T03:34:03.0291485Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -886,13 +925,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.628\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: clarium.freetls.fastly.net\nQueryStatus: 0\nQueryResults: ::ffff:151.101.194.79;::ffff:151.101.2.79;::ffff:151.101.66.79;::ffff:151.101.130.79;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "clarium.freetls.fastly.net", "QueryResults": "::ffff:151.101.194.79;::ffff:151.101.2.79;::ffff:151.101.66.79;::ffff:151.101.130.79;", @@ -907,9 +946,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 85, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -922,6 +962,7 @@ { "@timestamp": "2019-07-18T03:34:03.0291591Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -932,13 +973,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.633\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: nym1-ib.adnxs.com\nQueryStatus: 0\nQueryResults: ::ffff:68.67.178.252;::ffff:68.67.179.11;::ffff:68.67.179.228;::ffff:68.67.178.184;::ffff:204.13.192.141;::ffff:68.67.180.43;::ffff:68.67.179.23;::ffff:68.67.179.197;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "nym1-ib.adnxs.com", "QueryResults": "::ffff:68.67.178.252;::ffff:68.67.179.11;::ffff:68.67.179.228;::ffff:68.67.178.184;::ffff:204.13.192.141;::ffff:68.67.180.43;::ffff:68.67.179.23;::ffff:68.67.179.197;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", @@ -953,9 +994,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 86, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -968,6 +1010,7 @@ { "@timestamp": "2019-07-18T03:34:03.0292405Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -978,13 +1021,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.716\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: eb2.3lift.com\nQueryStatus: 0\nQueryResults: type: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:34.196.86.129;::ffff:34.233.250.110;::ffff:18.209.244.108;::ffff:34.224.204.11;::ffff:34.237.44.255;::ffff:3.210.231.21;::ffff:54.172.198.255;::ffff:34.199.186.227;192.5.6.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "eb2.3lift.com", "QueryResults": "type: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:34.196.86.129;::ffff:34.233.250.110;::ffff:18.209.244.108;::ffff:34.224.204.11;::ffff:34.237.44.255;::ffff:3.210.231.21;::ffff:54.172.198.255;::ffff:34.199.186.227;192.5.6.30;", @@ -999,9 +1042,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 87, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1014,6 +1058,7 @@ { "@timestamp": "2019-07-18T03:34:03.0292514Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1024,13 +1069,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.727\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: px.ads.linkedin.com\nQueryStatus: 0\nQueryResults: type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:108.174.10.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "px.ads.linkedin.com", "QueryResults": "type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:108.174.10.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -1045,9 +1090,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 88, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1060,6 +1106,7 @@ { "@timestamp": "2019-07-18T03:34:03.0292602Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1070,13 +1117,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.733\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: login.live.com\nQueryStatus: 0\nQueryResults: type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:40.90.23.239;::ffff:40.90.23.213;::ffff:40.90.23.154;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "login.live.com", "QueryResults": "type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:40.90.23.239;::ffff:40.90.23.213;::ffff:40.90.23.154;", @@ -1091,9 +1138,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 89, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1106,6 +1154,7 @@ { "@timestamp": "2019-07-18T03:34:03.0293152Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1116,13 +1165,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.792\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dis.criteo.com\nQueryStatus: 0\nQueryResults: ::ffff:74.119.119.150;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "dis.criteo.com", "QueryResults": "::ffff:74.119.119.150;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", @@ -1137,9 +1186,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 90, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1152,6 +1202,7 @@ { "@timestamp": "2019-07-18T03:34:03.0293311Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1162,13 +1213,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.792\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ib.adnxs.com\nQueryStatus: 0\nQueryResults: type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.180.12;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ib.adnxs.com", "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.180.12;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", @@ -1183,9 +1234,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 91, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1198,6 +1250,7 @@ { "@timestamp": "2019-07-18T03:34:03.0293399Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1208,13 +1261,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.809\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cm.g.doubleclick.net\nQueryStatus: 0\nQueryResults: type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "cm.g.doubleclick.net", "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;", @@ -1229,9 +1282,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 92, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1244,6 +1298,7 @@ { "@timestamp": "2019-07-18T03:34:03.0293501Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1254,13 +1309,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.821\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: match.adsrvr.org\nQueryStatus: 0\nQueryResults: type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:54.208.129.24;::ffff:54.175.5.93;::ffff:52.86.210.96;::ffff:3.93.252.59;::ffff:54.86.97.130;::ffff:34.194.239.194;::ffff:3.94.67.102;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "match.adsrvr.org", "QueryResults": "type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:54.208.129.24;::ffff:54.175.5.93;::ffff:52.86.210.96;::ffff:3.93.252.59;::ffff:54.86.97.130;::ffff:34.194.239.194;::ffff:3.94.67.102;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", @@ -1275,9 +1330,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 93, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1290,6 +1346,7 @@ { "@timestamp": "2019-07-18T03:34:03.0293589Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1300,13 +1357,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.821\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ssum-sec.casalemedia.com\nQueryStatus: 0\nQueryResults: type: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ssum-sec.casalemedia.com", "QueryResults": "type: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;", @@ -1321,9 +1378,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 94, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1336,6 +1394,7 @@ { "@timestamp": "2019-07-18T03:34:03.0293695Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1346,13 +1405,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.828\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: protected-by.clarium.io\nQueryStatus: 0\nQueryResults: type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:18.204.130.216;::ffff:18.209.246.43;::ffff:107.23.153.61;::ffff:18.235.141.27;::ffff:3.210.79.248;::ffff:18.209.146.43;::ffff:18.210.64.206;::ffff:18.214.161.226;192.5.6.30;2001:503:a83e::2:30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "protected-by.clarium.io", "QueryResults": "type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:18.204.130.216;::ffff:18.209.246.43;::ffff:107.23.153.61;::ffff:18.235.141.27;::ffff:3.210.79.248;::ffff:18.209.146.43;::ffff:18.210.64.206;::ffff:18.214.161.226;192.5.6.30;2001:503:a83e::2:30;", @@ -1367,9 +1426,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 95, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1382,6 +1442,7 @@ { "@timestamp": "2019-07-18T03:34:03.029379Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1392,13 +1453,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.838\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pagead2.googlesyndication.com\nQueryStatus: 0\nQueryResults: type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "pagead2.googlesyndication.com", "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;", @@ -1413,9 +1474,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 96, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1428,6 +1490,7 @@ { "@timestamp": "2019-07-18T03:34:03.0293885Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1438,13 +1501,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.839\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: googleads.g.doubleclick.net\nQueryStatus: 0\nQueryResults: type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "googleads.g.doubleclick.net", "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;", @@ -1459,9 +1522,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 97, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1474,6 +1538,7 @@ { "@timestamp": "2019-07-18T03:34:03.0293988Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1484,13 +1549,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.841\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pixel.advertising.com\nQueryStatus: 0\nQueryResults: type: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:52.22.184.73;::ffff:54.152.30.174;::ffff:3.213.70.197;::ffff:54.158.57.141;::ffff:52.6.39.34;::ffff:52.0.113.251;::ffff:3.213.8.28;::ffff:3.215.246.105;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "pixel.advertising.com", "QueryResults": "type: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:52.22.184.73;::ffff:54.152.30.174;::ffff:3.213.70.197;::ffff:54.158.57.141;::ffff:52.6.39.34;::ffff:52.0.113.251;::ffff:3.213.8.28;::ffff:3.215.246.105;", @@ -1505,9 +1570,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 98, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1520,6 +1586,7 @@ { "@timestamp": "2019-07-18T03:34:03.0294086Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1530,13 +1597,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.844\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: onevideosync.uplynk.com\nQueryStatus: 0\nQueryResults: type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:54.210.214.197;::ffff:52.202.202.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "onevideosync.uplynk.com", "QueryResults": "type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:54.210.214.197;::ffff:52.202.202.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", @@ -1551,9 +1618,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 99, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1566,6 +1634,7 @@ { "@timestamp": "2019-07-18T03:34:03.0294167Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1576,13 +1645,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.956\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ad.turn.com\nQueryStatus: 0\nQueryResults: type: 5 ad.turn.com.akadns.net;::ffff:50.116.194.21;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ad.turn.com", "QueryResults": "type: 5 ad.turn.com.akadns.net;::ffff:50.116.194.21;", @@ -1597,9 +1666,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 100, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1612,6 +1682,7 @@ { "@timestamp": "2019-07-18T03:34:03.6116197Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1622,13 +1693,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.005\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ups.analytics.yahoo.com\nQueryStatus: 0\nQueryResults: type: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:34.225.20.218;::ffff:3.216.14.125;::ffff:52.200.28.150;::ffff:3.216.103.132;::ffff:52.4.86.222;::ffff:52.21.200.160;::ffff:3.216.249.238;::ffff:3.94.175.146;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ups.analytics.yahoo.com", "QueryResults": "type: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:34.225.20.218;::ffff:3.216.14.125;::ffff:52.200.28.150;::ffff:3.216.103.132;::ffff:52.4.86.222;::ffff:52.21.200.160;::ffff:3.216.249.238;::ffff:3.94.175.146;", @@ -1643,9 +1714,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 101, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1658,6 +1730,7 @@ { "@timestamp": "2019-07-18T03:34:03.8023696Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1668,13 +1741,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.070\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pm.w55c.net\nQueryStatus: 0\nQueryResults: type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:34.237.248.89;::ffff:35.153.21.25;::ffff:52.200.238.112;::ffff:52.206.93.38;::ffff:34.227.35.137;::ffff:35.169.96.208;::ffff:52.22.206.42;::ffff:52.201.81.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "pm.w55c.net", "QueryResults": "type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:34.237.248.89;::ffff:35.153.21.25;::ffff:52.200.238.112;::ffff:52.206.93.38;::ffff:34.227.35.137;::ffff:35.169.96.208;::ffff:52.22.206.42;::ffff:52.201.81.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", @@ -1689,9 +1762,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 102, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1704,6 +1778,7 @@ { "@timestamp": "2019-07-18T03:34:03.8023918Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1714,13 +1789,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.093\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cm.eyereturn.com\nQueryStatus: 0\nQueryResults: ::ffff:35.186.239.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "cm.eyereturn.com", "QueryResults": "::ffff:35.186.239.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", @@ -1735,9 +1810,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 103, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1750,6 +1826,7 @@ { "@timestamp": "2019-07-18T03:34:03.802402Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1760,13 +1837,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.099\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: www.googletagservices.com\nQueryStatus: 0\nQueryResults: type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "www.googletagservices.com", "QueryResults": "type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;", @@ -1781,9 +1858,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 104, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1796,6 +1874,7 @@ { "@timestamp": "2019-07-18T03:34:03.802413Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1806,13 +1885,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.107\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cm.adgrx.com\nQueryStatus: 0\nQueryResults: type: 5 rtb.adgrx.com;::ffff:173.231.178.117;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "cm.adgrx.com", "QueryResults": "type: 5 rtb.adgrx.com;::ffff:173.231.178.117;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", @@ -1827,9 +1906,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 105, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1842,6 +1922,7 @@ { "@timestamp": "2019-07-18T03:34:03.8024239Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1852,13 +1933,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.107\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: csm2waycm-atl.netmng.com\nQueryStatus: 0\nQueryResults: type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:104.193.83.156;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "csm2waycm-atl.netmng.com", "QueryResults": "type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:104.193.83.156;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", @@ -1873,9 +1954,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 106, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1888,6 +1970,7 @@ { "@timestamp": "2019-07-18T03:34:03.802433Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1898,13 +1981,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.112\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pr-bh.ybp.yahoo.com\nQueryStatus: 0\nQueryResults: type: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:72.30.2.182;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "pr-bh.ybp.yahoo.com", "QueryResults": "type: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:72.30.2.182;", @@ -1919,9 +2002,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 107, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1934,6 +2018,7 @@ { "@timestamp": "2019-07-18T03:34:03.8024412Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1944,13 +2029,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.113\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ps.eyeota.net\nQueryStatus: 0\nQueryResults: ::ffff:3.83.220.223;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ps.eyeota.net", "QueryResults": "::ffff:3.83.220.223;", @@ -1965,9 +2050,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 108, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1980,6 +2066,7 @@ { "@timestamp": "2019-07-18T03:34:03.802456Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1990,13 +2077,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.146\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: idpix.media6degrees.com\nQueryStatus: 0\nQueryResults: type: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:204.2.197.201;::ffff:204.2.197.211;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "idpix.media6degrees.com", "QueryResults": "type: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:204.2.197.201;::ffff:204.2.197.211;", @@ -2011,9 +2098,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 109, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2026,6 +2114,7 @@ { "@timestamp": "2019-07-18T03:34:03.8024662Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2036,13 +2125,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.146\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tpc.googlesyndication.com\nQueryStatus: 0\nQueryResults: type: 5 pagead-googlehosted.l.google.com;::ffff:172.217.10.1;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "tpc.googlesyndication.com", "QueryResults": "type: 5 pagead-googlehosted.l.google.com;::ffff:172.217.10.1;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", @@ -2057,9 +2146,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 110, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2072,6 +2162,7 @@ { "@timestamp": "2019-07-18T03:34:03.8024806Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2082,13 +2173,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.182\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: image2.pubmatic.com\nQueryStatus: 0\nQueryResults: type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:162.248.19.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "image2.pubmatic.com", "QueryResults": "type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:162.248.19.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", @@ -2103,9 +2194,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 111, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2118,6 +2210,7 @@ { "@timestamp": "2019-07-18T03:34:03.8024961Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2128,13 +2221,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.183\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sam.msn.com\nQueryStatus: 0\nQueryResults: type: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "sam.msn.com", "QueryResults": "type: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;", @@ -2149,9 +2242,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 112, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2164,6 +2258,7 @@ { "@timestamp": "2019-07-18T03:34:03.8025162Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2174,13 +2269,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.222\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.sca1b.amazontrust.com\nQueryStatus: 0\nQueryResults: ::ffff:52.85.89.250;::ffff:52.85.89.94;::ffff:52.85.89.22;::ffff:52.85.89.139;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ocsp.sca1b.amazontrust.com", "QueryResults": "::ffff:52.85.89.250;::ffff:52.85.89.94;::ffff:52.85.89.22;::ffff:52.85.89.139;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", @@ -2195,9 +2290,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 113, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2210,6 +2306,7 @@ { "@timestamp": "2019-07-18T03:34:03.8025402Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2220,13 +2317,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.271\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: c1.adform.net\nQueryStatus: 0\nQueryResults: type: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:185.167.164.43;::ffff:185.167.164.42;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "c1.adform.net", "QueryResults": "type: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:185.167.164.43;::ffff:185.167.164.42;", @@ -2241,9 +2338,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 114, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2256,6 +2354,7 @@ { "@timestamp": "2019-07-18T03:34:03.8025508Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2266,13 +2365,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.271\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: urs.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:40.84.140.84;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "urs.microsoft.com", "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:40.84.140.84;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", @@ -2287,9 +2386,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 115, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2302,6 +2402,7 @@ { "@timestamp": "2019-07-18T03:34:03.8025607Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2312,13 +2413,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.290\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dsum-sec.casalemedia.com\nQueryStatus: 0\nQueryResults: type: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "dsum-sec.casalemedia.com", "QueryResults": "type: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;", @@ -2333,9 +2434,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 116, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2348,6 +2450,7 @@ { "@timestamp": "2019-07-18T03:34:03.8025698Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2358,13 +2461,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.292\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.godaddy.com\nQueryStatus: 0\nQueryResults: type: 5 ocsp.godaddy.com.akadns.net;::ffff:72.167.239.239;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ocsp.godaddy.com", "QueryResults": "type: 5 ocsp.godaddy.com.akadns.net;::ffff:72.167.239.239;", @@ -2379,9 +2482,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 117, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2394,6 +2498,7 @@ { "@timestamp": "2019-07-18T03:34:03.8025871Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2404,13 +2509,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.315\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: googleads.g.doubleclick.net\nQueryStatus: 9701\nQueryResults: \nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "googleads.g.doubleclick.net", "QueryStatus": "9701", @@ -2424,9 +2529,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 118, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2439,6 +2545,7 @@ { "@timestamp": "2019-07-18T03:34:03.8026787Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2449,13 +2556,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.315\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tpc.googlesyndication.com\nQueryStatus: 9701\nQueryResults: \nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "tpc.googlesyndication.com", "QueryStatus": "9701", @@ -2469,9 +2576,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 119, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2484,6 +2592,7 @@ { "@timestamp": "2019-07-18T03:34:03.8027002Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2494,13 +2603,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.333\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.usertrust.com\nQueryStatus: 0\nQueryResults: type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ocsp.usertrust.com", "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -2515,9 +2624,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 120, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2530,6 +2640,7 @@ { "@timestamp": "2019-07-18T03:34:03.8027154Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2540,13 +2651,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.343\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: isrg.trustid.ocsp.identrust.com\nQueryStatus: 0\nQueryResults: type: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.176;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "isrg.trustid.ocsp.identrust.com", "QueryResults": "type: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.176;", @@ -2561,9 +2672,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 121, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2576,6 +2688,7 @@ { "@timestamp": "2019-07-18T03:34:03.8027291Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2586,13 +2699,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.391\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ad.doubleclick.net\nQueryStatus: 0\nQueryResults: type: 5 dart.l.doubleclick.net;::ffff:172.217.6.198;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ad.doubleclick.net", "QueryResults": "type: 5 dart.l.doubleclick.net;::ffff:172.217.6.198;", @@ -2607,9 +2720,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 122, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2622,6 +2736,7 @@ { "@timestamp": "2019-07-18T03:34:03.802739Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2632,13 +2747,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.393\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.sectigo.com\nQueryStatus: 0\nQueryResults: type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ocsp.sectigo.com", "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -2653,9 +2768,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 123, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2668,6 +2784,7 @@ { "@timestamp": "2019-07-18T03:34:03.8027538Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2678,13 +2795,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.468\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.int-x3.letsencrypt.org\nQueryStatus: 0\nQueryResults: type: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.177;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ocsp.int-x3.letsencrypt.org", "QueryResults": "type: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.177;", @@ -2699,9 +2816,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 124, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2714,6 +2832,7 @@ { "@timestamp": "2019-07-18T03:34:03.8027683Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2724,13 +2843,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.581\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.pki.goog\nQueryStatus: 0\nQueryResults: type: 5 pki-goog.l.google.com;::ffff:172.217.12.195;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ocsp.pki.goog", "QueryResults": "type: 5 pki-goog.l.google.com;::ffff:172.217.12.195;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -2745,9 +2864,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 125, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2760,6 +2880,7 @@ { "@timestamp": "2019-07-18T03:34:04.0298288Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2770,13 +2891,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.872\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: googleads4.g.doubleclick.net\nQueryStatus: 0\nQueryResults: type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "googleads4.g.doubleclick.net", "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;", @@ -2791,9 +2912,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 126, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2806,6 +2928,7 @@ { "@timestamp": "2019-07-18T03:34:04.0298513Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2816,13 +2939,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.889\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: images.taboola.com\nQueryStatus: 0\nQueryResults: type: 5 f2.taboola.map.fastly.net;::ffff:151.101.2.2;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "images.taboola.com", "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.2.2;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;", @@ -2837,9 +2960,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 127, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2852,6 +2976,7 @@ { "@timestamp": "2019-07-18T03:34:04.0298619Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2862,13 +2987,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.890\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: api-s2s.taboola.com\nQueryStatus: 0\nQueryResults: type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "api-s2s.taboola.com", "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;", @@ -2883,9 +3008,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 128, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2898,6 +3024,7 @@ { "@timestamp": "2019-07-18T03:34:04.02987Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2908,13 +3035,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.892\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: x.bidswitch.net\nQueryStatus: 0\nQueryResults: ::ffff:35.231.30.22;::ffff:35.196.212.198;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "x.bidswitch.net", "QueryResults": "::ffff:35.231.30.22;::ffff:35.196.212.198;", @@ -2929,9 +3056,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 129, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2944,6 +3072,7 @@ { "@timestamp": "2019-07-18T03:34:04.0298806Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -2954,13 +3083,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.894\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pixel.adsafeprotected.com\nQueryStatus: 0\nQueryResults: type: 5 anycast.pixel.adsafeprotected.com;::ffff:199.166.0.26;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "pixel.adsafeprotected.com", "QueryResults": "type: 5 anycast.pixel.adsafeprotected.com;::ffff:199.166.0.26;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -2975,9 +3104,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 130, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2990,6 +3120,7 @@ { "@timestamp": "2019-07-18T03:34:04.0298901Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3000,13 +3131,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.894\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ml314.com\nQueryStatus: 0\nQueryResults: ::ffff:35.171.48.231;::ffff:52.206.107.32;::ffff:35.175.80.59;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ml314.com", "QueryResults": "::ffff:35.171.48.231;::ffff:52.206.107.32;::ffff:35.175.80.59;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -3021,9 +3152,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 131, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3036,6 +3168,7 @@ { "@timestamp": "2019-07-18T03:34:04.0299Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3046,13 +3179,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.902\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: aa.agkn.com\nQueryStatus: 0\nQueryResults: ::ffff:156.154.200.36;::ffff:63.251.88.56;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "aa.agkn.com", "QueryResults": "::ffff:156.154.200.36;::ffff:63.251.88.56;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", @@ -3067,9 +3200,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 132, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3082,6 +3216,7 @@ { "@timestamp": "2019-07-18T03:34:04.0299099Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3092,13 +3227,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.911\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: s0.2mdn.net\nQueryStatus: 0\nQueryResults: type: 5 s0-2mdn-net.l.google.com;::ffff:172.217.10.134;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "s0.2mdn.net", "QueryResults": "type: 5 s0-2mdn-net.l.google.com;::ffff:172.217.10.134;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -3113,9 +3248,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 133, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3128,6 +3264,7 @@ { "@timestamp": "2019-07-18T03:34:04.0299204Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3138,13 +3275,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.911\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: b.scorecardresearch.com\nQueryStatus: 0\nQueryResults: type: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:23.50.53.195;::ffff:23.50.53.185;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "b.scorecardresearch.com", "QueryResults": "type: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:23.50.53.195;::ffff:23.50.53.185;", @@ -3159,9 +3296,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 134, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3174,6 +3312,7 @@ { "@timestamp": "2019-07-18T03:34:04.5489581Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3184,13 +3323,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.921\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: edw.edmunds.com\nQueryStatus: 0\nQueryResults: type: 5 f2.shared.global.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "edw.edmunds.com", "QueryResults": "type: 5 f2.shared.global.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;", @@ -3205,9 +3344,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 135, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3220,6 +3360,7 @@ { "@timestamp": "2019-07-18T03:34:04.6927125Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3230,13 +3371,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.101\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.digicert.com\nQueryStatus: 0\nQueryResults: type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ocsp.digicert.com", "QueryResults": "type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", @@ -3251,9 +3392,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 136, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3266,6 +3408,7 @@ { "@timestamp": "2019-07-18T03:34:04.6927502Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3276,13 +3419,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.137\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pre-usermatch.targeting.unrulymedia.com\nQueryStatus: 0\nQueryResults: type: 5 usermatch.targeting.unrulymedia.com;::ffff:35.167.55.0;::ffff:52.24.219.168;::ffff:52.43.21.209;::ffff:54.200.225.167;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "pre-usermatch.targeting.unrulymedia.com", "QueryResults": "type: 5 usermatch.targeting.unrulymedia.com;::ffff:35.167.55.0;::ffff:52.24.219.168;::ffff:52.43.21.209;::ffff:54.200.225.167;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;", @@ -3297,9 +3440,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 137, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3312,6 +3456,7 @@ { "@timestamp": "2019-07-18T03:34:04.6927629Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3322,13 +3467,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.141\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: farm.plista.com\nQueryStatus: 0\nQueryResults: type: 5 farm-hetzner.plista.com;::ffff:144.76.67.119;::ffff:148.251.77.207;::ffff:148.251.15.115;::ffff:176.9.103.51;::ffff:88.198.208.110;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "farm.plista.com", "QueryResults": "type: 5 farm-hetzner.plista.com;::ffff:144.76.67.119;::ffff:148.251.77.207;::ffff:148.251.15.115;::ffff:176.9.103.51;::ffff:88.198.208.110;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", @@ -3343,9 +3488,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 138, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3358,6 +3504,7 @@ { "@timestamp": "2019-07-18T03:34:04.6927805Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3368,13 +3515,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.168\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: beacon.krxd.net\nQueryStatus: 0\nQueryResults: type: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:50.17.180.35;::ffff:50.19.103.40;::ffff:50.19.210.19;::ffff:50.19.117.149;::ffff:50.19.222.244;::ffff:50.19.222.88;::ffff:50.19.81.100;::ffff:54.204.10.30;192.5.6.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "beacon.krxd.net", "QueryResults": "type: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:50.17.180.35;::ffff:50.19.103.40;::ffff:50.19.210.19;::ffff:50.19.117.149;::ffff:50.19.222.244;::ffff:50.19.222.88;::ffff:50.19.81.100;::ffff:54.204.10.30;192.5.6.30;", @@ -3389,9 +3536,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 139, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3404,6 +3552,7 @@ { "@timestamp": "2019-07-18T03:34:04.6927914Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3414,13 +3563,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.169\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dsum.casalemedia.com\nQueryStatus: 0\nQueryResults: type: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "dsum.casalemedia.com", "QueryResults": "type: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;", @@ -3435,9 +3584,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 140, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3450,6 +3600,7 @@ { "@timestamp": "2019-07-18T03:34:04.6928031Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3460,13 +3611,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.169\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync.mathtag.com\nQueryStatus: 0\nQueryResults: type: 5 pixel-origin.mathtag.com;::ffff:216.200.232.235;::ffff:216.200.232.201;::ffff:74.121.138.26;::ffff:216.200.232.185;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "sync.mathtag.com", "QueryResults": "type: 5 pixel-origin.mathtag.com;::ffff:216.200.232.235;::ffff:216.200.232.201;::ffff:74.121.138.26;::ffff:216.200.232.185;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", @@ -3481,9 +3632,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 141, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3496,6 +3648,7 @@ { "@timestamp": "2019-07-18T03:34:04.692814Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3506,13 +3659,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.184\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: status.rapidssl.com\nQueryStatus: 0\nQueryResults: type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "status.rapidssl.com", "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", @@ -3527,9 +3680,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 142, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3542,6 +3696,7 @@ { "@timestamp": "2019-07-18T03:34:04.6928263Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3552,13 +3707,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.184\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync.extend.tv\nQueryStatus: 0\nQueryResults: type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:34.197.195.131;::ffff:34.192.39.82;::ffff:34.199.231.204;::ffff:34.199.113.81;::ffff:34.197.3.157;::ffff:34.205.112.156;::ffff:34.195.29.8;::ffff:34.201.247.123;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "sync.extend.tv", "QueryResults": "type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:34.197.195.131;::ffff:34.192.39.82;::ffff:34.199.231.204;::ffff:34.199.113.81;::ffff:34.197.3.157;::ffff:34.205.112.156;::ffff:34.195.29.8;::ffff:34.201.247.123;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", @@ -3573,9 +3728,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 143, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3588,6 +3744,7 @@ { "@timestamp": "2019-07-18T03:34:04.6928376Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3598,13 +3755,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.185\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.comodoca.com\nQueryStatus: 0\nQueryResults: type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ocsp.comodoca.com", "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -3619,9 +3776,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 144, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3634,6 +3792,7 @@ { "@timestamp": "2019-07-18T03:34:04.6928489Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3644,13 +3803,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.189\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync-tm.everesttech.net\nQueryStatus: 0\nQueryResults: type: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;::ffff:151.101.194.49;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "sync-tm.everesttech.net", "QueryResults": "type: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;::ffff:151.101.194.49;", @@ -3665,9 +3824,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 145, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3680,6 +3840,7 @@ { "@timestamp": "2019-07-18T03:34:04.6928651Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3690,13 +3851,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.237\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: idsync.rlcdn.com\nQueryStatus: 0\nQueryResults: ::ffff:34.95.92.78;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "idsync.rlcdn.com", "QueryResults": "::ffff:34.95.92.78;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", @@ -3711,9 +3872,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 146, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3726,6 +3888,7 @@ { "@timestamp": "2019-07-18T03:34:04.6928827Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3736,13 +3899,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.274\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cm.adform.net\nQueryStatus: 0\nQueryResults: type: 5 track-eu.adformnet.akadns.net;::ffff:37.157.2.239;::ffff:37.157.6.253;::ffff:37.157.2.238;::ffff:37.157.4.25;::ffff:37.157.4.24;::ffff:37.157.6.247;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "cm.adform.net", "QueryResults": "type: 5 track-eu.adformnet.akadns.net;::ffff:37.157.2.239;::ffff:37.157.6.253;::ffff:37.157.2.238;::ffff:37.157.4.25;::ffff:37.157.4.24;::ffff:37.157.6.247;", @@ -3757,9 +3920,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 147, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3772,6 +3936,7 @@ { "@timestamp": "2019-07-18T03:34:04.6928919Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3782,13 +3947,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.302\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dm.hybrid.ai\nQueryStatus: 0\nQueryResults: ::ffff:37.18.16.16;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "dm.hybrid.ai", "QueryResults": "::ffff:37.18.16.16;", @@ -3803,9 +3968,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 148, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3818,6 +3984,7 @@ { "@timestamp": "2019-07-18T03:34:04.6929042Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3828,13 +3995,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.304\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: static.adsafeprotected.com\nQueryStatus: 0\nQueryResults: type: 5 anycast.static.adsafeprotected.com;::ffff:199.166.0.32;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "static.adsafeprotected.com", "QueryResults": "type: 5 anycast.static.adsafeprotected.com;::ffff:199.166.0.32;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -3849,9 +4016,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 149, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3864,6 +4032,7 @@ { "@timestamp": "2019-07-18T03:34:04.6929201Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3874,13 +4043,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.322\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: trc.taboola.com\nQueryStatus: 0\nQueryResults: type: 5 f2.taboola.map.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "trc.taboola.com", "QueryResults": "type: 5 f2.taboola.map.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;", @@ -3895,9 +4064,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 150, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3910,6 +4080,7 @@ { "@timestamp": "2019-07-18T03:34:04.6929352Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3920,13 +4091,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.379\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pippio.com\nQueryStatus: 0\nQueryResults: ::ffff:107.178.254.65;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "pippio.com", "QueryResults": "::ffff:107.178.254.65;", @@ -3941,9 +4112,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 151, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3956,6 +4128,7 @@ { "@timestamp": "2019-07-18T03:34:04.6929973Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -3966,13 +4139,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.482\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pixel-sync.sitescout.com\nQueryStatus: 0\nQueryResults: type: 5 pixel-a.sitescout.com;::ffff:209.15.36.34;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "pixel-sync.sitescout.com", "QueryResults": "type: 5 pixel-a.sitescout.com;::ffff:209.15.36.34;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -3987,9 +4160,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 152, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4002,6 +4176,7 @@ { "@timestamp": "2019-07-18T03:34:04.6930107Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4012,13 +4187,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.502\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: prod.y-medialink.com\nQueryStatus: 0\nQueryResults: ::ffff:35.186.202.217;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "prod.y-medialink.com", "QueryResults": "::ffff:35.186.202.217;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", @@ -4033,9 +4208,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 153, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4048,6 +4224,7 @@ { "@timestamp": "2019-07-18T03:34:04.6930216Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4058,13 +4235,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.507\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: jadserve.postrelease.com\nQueryStatus: 0\nQueryResults: type: 5 jadserve.postrelease.com.akadns.net;::ffff:54.80.117.178;::ffff:3.217.22.176;::ffff:35.153.215.15;::ffff:52.207.54.164;::ffff:52.204.186.237;::ffff:52.86.46.105;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "jadserve.postrelease.com", "QueryResults": "type: 5 jadserve.postrelease.com.akadns.net;::ffff:54.80.117.178;::ffff:3.217.22.176;::ffff:35.153.215.15;::ffff:52.207.54.164;::ffff:52.204.186.237;::ffff:52.86.46.105;", @@ -4079,9 +4256,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 154, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4094,6 +4272,7 @@ { "@timestamp": "2019-07-18T03:34:04.6930336Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4104,13 +4283,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.508\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: appnexus-partners.tremorhub.com\nQueryStatus: 0\nQueryResults: type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:107.21.43.184;::ffff:54.164.220.86;::ffff:52.72.172.174;::ffff:3.209.65.250;::ffff:3.94.51.187;::ffff:34.193.211.130;::ffff:18.214.47.10;::ffff:18.214.151.246;192.5.6.30;2001:503:a83e::2:30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "appnexus-partners.tremorhub.com", "QueryResults": "type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:107.21.43.184;::ffff:54.164.220.86;::ffff:52.72.172.174;::ffff:3.209.65.250;::ffff:3.94.51.187;::ffff:34.193.211.130;::ffff:18.214.47.10;::ffff:18.214.151.246;192.5.6.30;2001:503:a83e::2:30;", @@ -4125,9 +4304,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 155, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4140,6 +4320,7 @@ { "@timestamp": "2019-07-18T03:34:04.6930449Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4150,13 +4331,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.531\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: x.dlx.addthis.com\nQueryStatus: 0\nQueryResults: type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:107.21.14.70;::ffff:107.23.33.163;::ffff:23.22.192.59;::ffff:100.24.96.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "x.dlx.addthis.com", "QueryResults": "type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:107.21.14.70;::ffff:107.23.33.163;::ffff:23.22.192.59;::ffff:100.24.96.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", @@ -4171,9 +4352,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 156, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4186,6 +4368,7 @@ { "@timestamp": "2019-07-18T03:34:04.6930572Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4196,13 +4379,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.532\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dh.serving-sys.com\nQueryStatus: 0\nQueryResults: type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:18.205.112.71;::ffff:50.19.40.146;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "dh.serving-sys.com", "QueryResults": "type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:18.205.112.71;::ffff:50.19.40.146;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", @@ -4217,9 +4400,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 157, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4232,6 +4416,7 @@ { "@timestamp": "2019-07-18T03:34:04.6930703Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4242,13 +4427,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.534\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: match.sharethrough.com\nQueryStatus: 0\nQueryResults: type: 5 match-us-east-1.sharethrough.com;::ffff:52.55.160.246;::ffff:3.211.67.240;::ffff:35.173.61.59;::ffff:34.233.179.235;::ffff:34.228.105.237;::ffff:52.7.23.213;::ffff:52.201.177.113;::ffff:34.235.70.251;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "match.sharethrough.com", "QueryResults": "type: 5 match-us-east-1.sharethrough.com;::ffff:52.55.160.246;::ffff:3.211.67.240;::ffff:35.173.61.59;::ffff:34.233.179.235;::ffff:34.228.105.237;::ffff:52.7.23.213;::ffff:52.201.177.113;::ffff:34.235.70.251;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;", @@ -4263,9 +4448,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 158, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4278,6 +4464,7 @@ { "@timestamp": "2019-07-18T03:34:04.8365914Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4288,13 +4475,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.601\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tags.rd.linksynergy.com\nQueryStatus: 0\nQueryResults: ::ffff:35.241.16.233;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "tags.rd.linksynergy.com", "QueryResults": "::ffff:35.241.16.233;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", @@ -4309,9 +4496,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 159, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4324,6 +4512,7 @@ { "@timestamp": "2019-07-18T03:34:04.8366083Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4334,13 +4523,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.604\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: rtb-csync.smartadserver.com\nQueryStatus: 0\nQueryResults: type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:199.187.193.166;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "rtb-csync.smartadserver.com", "QueryResults": "type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:199.187.193.166;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", @@ -4355,9 +4544,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 160, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4370,6 +4560,7 @@ { "@timestamp": "2019-07-18T03:34:04.8366266Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4380,13 +4571,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.621\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sc.iasds01.com\nQueryStatus: 0\nQueryResults: type: 5 anycast.sc.iasds01.com;::ffff:199.166.0.200;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "sc.iasds01.com", "QueryResults": "type: 5 anycast.sc.iasds01.com;::ffff:199.166.0.200;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -4401,9 +4592,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 161, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4416,6 +4608,7 @@ { "@timestamp": "2019-07-18T03:34:05.0346464Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4426,13 +4619,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.822\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dt.adsafeprotected.com\nQueryStatus: 0\nQueryResults: type: 5 sjedt.adsafeprotected.com;::ffff:104.244.38.20;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "dt.adsafeprotected.com", "QueryResults": "type: 5 sjedt.adsafeprotected.com;::ffff:104.244.38.20;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -4447,9 +4640,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 162, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4462,6 +4656,7 @@ { "@timestamp": "2019-07-18T03:34:05.0346573Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4472,13 +4667,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.822\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: status.thawte.com\nQueryStatus: 0\nQueryResults: type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "status.thawte.com", "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", @@ -4493,9 +4688,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 163, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4508,6 +4704,7 @@ { "@timestamp": "2019-07-18T03:34:05.0347983Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4518,13 +4715,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.860\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ads.stickyadstv.com\nQueryStatus: 0\nQueryResults: type: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:38.134.110.101;::ffff:38.134.110.143;::ffff:38.134.110.141;::ffff:38.134.110.171;::ffff:38.134.110.177;::ffff:38.134.110.115;::ffff:38.134.110.104;::ffff:38.134.110.114;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ads.stickyadstv.com", "QueryResults": "type: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:38.134.110.101;::ffff:38.134.110.143;::ffff:38.134.110.141;::ffff:38.134.110.171;::ffff:38.134.110.177;::ffff:38.134.110.115;::ffff:38.134.110.104;::ffff:38.134.110.114;", @@ -4539,9 +4736,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 164, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4554,6 +4752,7 @@ { "@timestamp": "2019-07-18T03:34:06.0516927Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4564,13 +4763,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.904\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: hbx.media.net\nQueryStatus: 0\nQueryResults: type: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "hbx.media.net", "QueryResults": "type: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;", @@ -4585,9 +4784,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 165, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4600,6 +4800,7 @@ { "@timestamp": "2019-07-18T03:34:06.05171Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4610,13 +4811,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.911\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: match.taboola.com\nQueryStatus: 0\nQueryResults: type: 5 trc.taboola.map.fastly.net;::ffff:151.101.194.49;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "match.taboola.com", "QueryResults": "type: 5 trc.taboola.map.fastly.net;::ffff:151.101.194.49;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;", @@ -4631,9 +4832,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 166, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4646,6 +4848,7 @@ { "@timestamp": "2019-07-18T03:34:06.0519029Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4656,13 +4859,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:06.056\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: img-s-msn-com.akamaized.net\nQueryStatus: 0\nQueryResults: type: 5 a1834.dspg2.akamai.net;::ffff:23.50.53.185;::ffff:23.50.53.194;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "img-s-msn-com.akamaized.net", "QueryResults": "type: 5 a1834.dspg2.akamai.net;::ffff:23.50.53.185;::ffff:23.50.53.194;", @@ -4677,9 +4880,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 167, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4692,6 +4896,7 @@ { "@timestamp": "2019-07-18T03:34:07.0493197Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4702,13 +4907,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:06.064\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: static-entertainment-eus-s-msn-com.akamaized.net\nQueryStatus: 0\nQueryResults: type: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "static-entertainment-eus-s-msn-com.akamaized.net", "QueryResults": "type: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;", @@ -4723,9 +4928,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 168, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4738,6 +4944,7 @@ { "@timestamp": "2019-07-18T03:34:07.0493349Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4748,13 +4955,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:06.178\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: radarmaps.weather.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:23.217.149.91;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "radarmaps.weather.microsoft.com", "QueryResults": "type: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:23.217.149.91;", @@ -4769,9 +4976,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 169, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4784,6 +4992,7 @@ { "@timestamp": "2019-07-18T03:34:07.049349Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4794,13 +5003,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:06.455\nProcessGuid: {FA4A0DE6-E8A8-5D2F-0000-001094619900}\nProcessId: 0\nQueryName: static-entertainment-eus-s-msn-com.akamaized.net\nQueryStatus: 0\nQueryResults: type: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\nImage: C:\\Program Files\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "ProcessGuid": "{FA4A0DE6-E8A8-5D2F-0000-001094619900}", "ProcessId": "356", "QueryName": "static-entertainment-eus-s-msn-com.akamaized.net", "QueryResults": "type: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;", @@ -4815,9 +5024,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 170, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4830,6 +5040,7 @@ { "@timestamp": "2019-07-18T03:34:07.0493642Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4840,13 +5051,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:06.494\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tag.sp.advertising.com\nQueryStatus: 0\nQueryResults: type: 5 cs747173190.wac.omegacdn.net;::ffff:152.195.32.163;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "tag.sp.advertising.com", "QueryResults": "type: 5 cs747173190.wac.omegacdn.net;::ffff:152.195.32.163;", @@ -4861,9 +5072,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 171, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4876,6 +5088,7 @@ { "@timestamp": "2019-07-18T03:34:07.0493772Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4886,13 +5099,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:06.567\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: www.bing.com\nQueryStatus: 0\nQueryResults: type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "www.bing.com", "QueryResults": "type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;", @@ -4907,9 +5120,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 172, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4922,6 +5136,7 @@ { "@timestamp": "2019-07-18T03:34:08.0542702Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4932,13 +5147,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.228\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cdn.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "cdn.doubleverify.com", "QueryResults": "type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;", @@ -4953,9 +5168,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 173, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4968,6 +5184,7 @@ { "@timestamp": "2019-07-18T03:34:08.0543026Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -4978,13 +5195,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.357\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cdn3.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "cdn3.doubleverify.com", "QueryResults": "type: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;", @@ -4999,9 +5216,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 174, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5014,6 +5232,7 @@ { "@timestamp": "2019-07-18T03:34:08.0543273Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5024,13 +5243,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.721\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: rtb0.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "rtb0.doubleverify.com", "QueryResults": "type: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", @@ -5045,9 +5264,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 175, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5060,6 +5280,7 @@ { "@timestamp": "2019-07-18T03:34:08.0543446Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5070,13 +5291,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.774\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dev.virtualearth.net\nQueryStatus: 0\nQueryResults: type: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:20.36.236.157;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "dev.virtualearth.net", "QueryResults": "type: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:20.36.236.157;", @@ -5091,9 +5312,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 176, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5106,6 +5328,7 @@ { "@timestamp": "2019-07-18T03:34:08.0543562Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5116,13 +5339,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.847\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: t.ssl.ak.dynamic.tiles.virtualearth.net\nQueryStatus: 0\nQueryResults: type: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:23.52.161.238;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "t.ssl.ak.dynamic.tiles.virtualearth.net", "QueryResults": "type: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:23.52.161.238;", @@ -5137,9 +5360,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 177, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5152,6 +5376,7 @@ { "@timestamp": "2019-07-18T03:34:08.0544116Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5162,13 +5387,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.943\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: rp.gwallet.com\nQueryStatus: 0\nQueryResults: ::ffff:74.217.253.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "rp.gwallet.com", "QueryResults": "::ffff:74.217.253.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", @@ -5183,9 +5408,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 178, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5198,6 +5424,7 @@ { "@timestamp": "2019-07-18T03:34:08.0544229Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5208,13 +5435,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.945\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ads.yahoo.com\nQueryStatus: 0\nQueryResults: type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:98.139.225.43;::ffff:98.138.49.44;::ffff:72.30.3.43;::ffff:216.155.194.56;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ads.yahoo.com", "QueryResults": "type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:98.139.225.43;::ffff:98.138.49.44;::ffff:72.30.3.43;::ffff:216.155.194.56;", @@ -5229,9 +5456,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 179, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5244,6 +5472,7 @@ { "@timestamp": "2019-07-18T03:34:08.0544328Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5254,13 +5483,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.954\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: um.simpli.fi\nQueryStatus: 0\nQueryResults: ::ffff:169.55.104.49;::ffff:169.60.66.35;::ffff:169.61.103.241;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "um.simpli.fi", "QueryResults": "::ffff:169.55.104.49;::ffff:169.60.66.35;::ffff:169.61.103.241;", @@ -5275,9 +5504,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 180, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5290,6 +5520,7 @@ { "@timestamp": "2019-07-18T03:34:08.0544448Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5300,13 +5531,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.955\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: mpp.vindicosuite.com\nQueryStatus: 0\nQueryResults: ::ffff:35.186.236.204;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "mpp.vindicosuite.com", "QueryResults": "::ffff:35.186.236.204;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", @@ -5321,9 +5552,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 181, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5336,6 +5568,7 @@ { "@timestamp": "2019-07-18T03:34:08.0544546Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5346,13 +5579,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.955\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync.1rx.io\nQueryStatus: 0\nQueryResults: ::ffff:8.41.222.152;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "sync.1rx.io", "QueryResults": "::ffff:8.41.222.152;", @@ -5367,9 +5600,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 182, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5382,6 +5616,7 @@ { "@timestamp": "2019-07-18T03:34:08.0544649Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5392,13 +5627,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.956\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync.teads.tv\nQueryStatus: 0\nQueryResults: type: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:23.52.160.7;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "sync.teads.tv", "QueryResults": "type: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:23.52.160.7;", @@ -5413,9 +5648,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 183, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5428,6 +5664,7 @@ { "@timestamp": "2019-07-18T03:34:08.0544828Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5438,13 +5675,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.019\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: s.thebrighttag.com\nQueryStatus: 0\nQueryResults: type: 5 td.thebrighttag.com;::ffff:3.15.109.176;::ffff:52.15.225.252;::ffff:3.18.121.79;::ffff:3.15.101.187;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "s.thebrighttag.com", "QueryResults": "type: 5 td.thebrighttag.com;::ffff:3.15.109.176;::ffff:52.15.225.252;::ffff:3.18.121.79;::ffff:3.15.101.187;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", @@ -5459,9 +5696,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 184, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5474,6 +5712,7 @@ { "@timestamp": "2019-07-18T03:34:09.0538834Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5484,13 +5723,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.050\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: t.a3cloud.net\nQueryStatus: 0\nQueryResults: type: 5 d386jaag4hn9zl.cloudfront.net;::ffff:54.192.55.189;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "t.a3cloud.net", "QueryResults": "type: 5 d386jaag4hn9zl.cloudfront.net;::ffff:54.192.55.189;", @@ -5505,9 +5744,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 186, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5520,6 +5760,7 @@ { "@timestamp": "2019-07-18T03:34:09.0539007Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5530,13 +5771,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.070\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tps618.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "tps618.doubleverify.com", "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", @@ -5551,9 +5792,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 187, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5566,6 +5808,7 @@ { "@timestamp": "2019-07-18T03:34:09.0539141Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5576,13 +5819,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.090\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dpm.demdex.net\nQueryStatus: 0\nQueryResults: type: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:54.157.69.185;::ffff:18.209.139.81;::ffff:18.233.36.36;::ffff:52.54.198.81;::ffff:52.55.201.28;::ffff:18.210.34.44;::ffff:52.72.163.149;::ffff:18.232.198.130;192.5.6.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "dpm.demdex.net", "QueryResults": "type: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:54.157.69.185;::ffff:18.209.139.81;::ffff:18.233.36.36;::ffff:52.54.198.81;::ffff:52.55.201.28;::ffff:18.210.34.44;::ffff:52.72.163.149;::ffff:18.232.198.130;192.5.6.30;", @@ -5597,9 +5840,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 188, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5612,6 +5856,7 @@ { "@timestamp": "2019-07-18T03:34:09.0539388Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5622,13 +5867,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.308\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: secure.adnxs.com\nQueryStatus: 0\nQueryResults: type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;::ffff:68.67.180.12;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "secure.adnxs.com", "QueryResults": "type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;::ffff:68.67.180.12;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", @@ -5643,9 +5888,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 189, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5658,6 +5904,7 @@ { "@timestamp": "2019-07-18T03:34:09.0539493Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5668,13 +5915,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.478\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tps.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "tps.doubleverify.com", "QueryResults": "type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", @@ -5689,9 +5936,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 190, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5704,6 +5952,7 @@ { "@timestamp": "2019-07-18T03:34:09.0677523Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5714,13 +5963,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.536\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: i.liadm.com\nQueryStatus: 0\nQueryResults: type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:52.71.175.22;::ffff:52.71.208.229;::ffff:52.86.201.172;::ffff:52.7.6.198;::ffff:54.152.156.164;::ffff:54.152.56.202;::ffff:54.164.15.83;::ffff:52.86.191.75;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "i.liadm.com", "QueryResults": "type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:52.71.175.22;::ffff:52.71.208.229;::ffff:52.86.201.172;::ffff:52.7.6.198;::ffff:54.152.156.164;::ffff:54.152.56.202;::ffff:54.164.15.83;::ffff:52.86.191.75;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;", @@ -5735,9 +5984,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 191, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5750,6 +6000,7 @@ { "@timestamp": "2019-07-18T03:34:09.067766Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5760,13 +6011,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.544\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pixel.s3xified.com\nQueryStatus: 0\nQueryResults: ::ffff:67.231.251.189;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "pixel.s3xified.com", "QueryResults": "::ffff:67.231.251.189;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;", @@ -5781,9 +6032,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 192, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5796,6 +6048,7 @@ { "@timestamp": "2019-07-18T03:34:09.0677766Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5806,13 +6059,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.550\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: router.infolinks.com\nQueryStatus: 0\nQueryResults: ::ffff:104.20.252.85;::ffff:104.20.253.85;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "router.infolinks.com", "QueryResults": "::ffff:104.20.252.85;::ffff:104.20.253.85;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -5827,9 +6080,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 193, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5842,6 +6096,7 @@ { "@timestamp": "2019-07-18T03:34:09.0677879Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5852,13 +6107,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.552\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: grey.erne.co\nQueryStatus: 0\nQueryResults: ::ffff:94.23.171.206;::ffff:188.165.137.78;::ffff:87.98.128.108;::ffff:94.23.73.243;::ffff:94.23.144.220;::ffff:87.98.228.78;::ffff:188.165.27.173;::ffff:87.98.252.5;::ffff:188.165.4.142;::ffff:87.98.242.60;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "grey.erne.co", "QueryResults": "::ffff:94.23.171.206;::ffff:188.165.137.78;::ffff:87.98.128.108;::ffff:94.23.73.243;::ffff:94.23.144.220;::ffff:87.98.228.78;::ffff:188.165.27.173;::ffff:87.98.252.5;::ffff:188.165.4.142;::ffff:87.98.242.60;", @@ -5873,9 +6128,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 194, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5888,6 +6144,7 @@ { "@timestamp": "2019-07-18T03:34:09.0677978Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5898,13 +6155,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.552\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync.jivox.com\nQueryStatus: 0\nQueryResults: ::ffff:54.243.145.203;::ffff:54.221.211.153;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "sync.jivox.com", "QueryResults": "::ffff:54.243.145.203;::ffff:54.221.211.153;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;", @@ -5919,9 +6176,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 195, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5934,6 +6192,7 @@ { "@timestamp": "2019-07-18T03:34:09.0678196Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5944,13 +6203,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.594\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: b1sync.zemanta.com\nQueryStatus: 0\nQueryResults: type: 5 b1-lsw-use1.zemanta.com;::ffff:207.244.121.25;::ffff:108.59.0.1;::ffff:162.210.196.115;::ffff:207.244.94.20;::ffff:108.59.0.12;::ffff:207.244.121.65;::ffff:162.210.199.69;::ffff:207.244.76.83;::ffff:162.210.197.137;::ffff:207.244.108.217;::ffff:207.244.121.137;::ffff:207.244.67.99;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:108.59.4.172;::ffff:108.62.117.43;::ffff:108.59.4.171;::ffff:207.244.121.27;::ffff:207.244.71.67;::ffff:207.244.121.70;::ffff:199.58.84.25;::ffff:207.244.67.98;::ffff:162.210.196.116;::ffff:207.244.73.10;::ffff:207.244.110.3;::ffff:108.59.4.173;::ffff:108.59.0.8;::ffff:207.244.71.88;::ffff:207.244.121.73;::ffff:207.244.69.231;::ffff:108.59.0.2;::ffff:207.244.121.74;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;2001:503:d414::30;192.42.93.30;2001:503:eea3::30;192.54.112.30;2001:502:8cc::30;192.43.172.30;2001:503:39c1::30;192.48.79.30;2001:502:7094::30;192.5\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "b1sync.zemanta.com", "QueryResults": "type: 5 b1-lsw-use1.zemanta.com;::ffff:207.244.121.25;::ffff:108.59.0.1;::ffff:162.210.196.115;::ffff:207.244.94.20;::ffff:108.59.0.12;::ffff:207.244.121.65;::ffff:162.210.199.69;::ffff:207.244.76.83;::ffff:162.210.197.137;::ffff:207.244.108.217;::ffff:207.244.121.137;::ffff:207.244.67.99;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:108.59.4.172;::ffff:108.62.117.43;::ffff:108.59.4.171;::ffff:207.244.121.27;::ffff:207.244.71.67;::ffff:207.244.121.70;::ffff:199.58.84.25;::ffff:207.244.67.98;::ffff:162.210.196.116;::ffff:207.244.73.10;::ffff:207.244.110.3;::ffff:108.59.4.173;::ffff:108.59.0.8;::ffff:207.244.71.88;::ffff:207.244.121.73;::ffff:207.244.69.231;::ffff:108.59.0.2;::ffff:207.244.121.74;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;2001:503:d414::30;192.42.93.30;2001:503:eea3::30;192.54.112.30;2001:502:8cc::30;192.43.172.30;2001:503:39c1::30;192.48.79.30;2001:502:7094::30;192.5", @@ -5965,9 +6224,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 196, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5980,6 +6240,7 @@ { "@timestamp": "2019-07-18T03:34:09.0678355Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -5990,13 +6251,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.619\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tg.socdm.com\nQueryStatus: 0\nQueryResults: type: 5 tg3.dr.socdm.com;::ffff:124.146.215.43;::ffff:202.241.208.53;::ffff:124.146.215.46;::ffff:202.241.208.52;::ffff:124.146.215.48;::ffff:124.146.215.45;::ffff:202.241.208.54;::ffff:124.146.215.47;::ffff:124.146.215.42;::ffff:124.146.215.44;::ffff:202.241.208.55;::ffff:202.241.208.56;192.5.6.30;2001:503:a83e::2:30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "tg.socdm.com", "QueryResults": "type: 5 tg3.dr.socdm.com;::ffff:124.146.215.43;::ffff:202.241.208.53;::ffff:124.146.215.46;::ffff:202.241.208.52;::ffff:124.146.215.48;::ffff:124.146.215.45;::ffff:202.241.208.54;::ffff:124.146.215.47;::ffff:124.146.215.42;::ffff:124.146.215.44;::ffff:202.241.208.55;::ffff:202.241.208.56;192.5.6.30;2001:503:a83e::2:30;", @@ -6011,9 +6272,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 197, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6026,6 +6288,7 @@ { "@timestamp": "2019-07-18T03:34:09.067845Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6036,13 +6299,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.620\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: prebid.adnxs.com\nQueryStatus: 0\nQueryResults: type: 5 prebid.appnexusgslb.net;::ffff:68.67.153.75;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "prebid.adnxs.com", "QueryResults": "type: 5 prebid.appnexusgslb.net;::ffff:68.67.153.75;", @@ -6057,9 +6320,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 198, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6072,6 +6336,7 @@ { "@timestamp": "2019-07-18T03:34:09.0678835Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6082,13 +6347,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.811\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ul1.dvtps.com\nQueryStatus: 0\nQueryResults: type: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ul1.dvtps.com", "QueryResults": "type: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", @@ -6103,9 +6368,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 199, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6118,6 +6384,7 @@ { "@timestamp": "2019-07-18T03:34:09.0679463Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6128,13 +6395,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.912\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ul1.dvtps.com\nQueryStatus: 9701\nQueryResults: \nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ul1.dvtps.com", "QueryStatus": "9701", @@ -6148,9 +6415,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 200, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6163,6 +6431,7 @@ { "@timestamp": "2019-07-18T03:34:09.0680034Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6173,13 +6442,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.016\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tags.bluekai.com\nQueryStatus: 0\nQueryResults: type: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:23.3.125.199;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "tags.bluekai.com", "QueryResults": "type: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:23.3.125.199;", @@ -6194,9 +6463,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 201, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6209,6 +6479,7 @@ { "@timestamp": "2019-07-18T03:34:10.0674672Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6219,13 +6490,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.048\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cdnjs.cloudflare.com\nQueryStatus: 0\nQueryResults: ::ffff:104.19.195.151;::ffff:104.19.199.151;::ffff:104.19.198.151;::ffff:104.19.197.151;::ffff:104.19.196.151;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "cdnjs.cloudflare.com", "QueryResults": "::ffff:104.19.195.151;::ffff:104.19.199.151;::ffff:104.19.198.151;::ffff:104.19.197.151;::ffff:104.19.196.151;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;", @@ -6240,9 +6511,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 202, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6255,6 +6527,7 @@ { "@timestamp": "2019-07-18T03:34:10.0674881Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6265,13 +6538,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.051\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pixel.onaudience.com\nQueryStatus: 0\nQueryResults: ::ffff:85.194.243.23;::ffff:85.194.243.239;::ffff:85.194.240.137;::ffff:85.194.242.103;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "pixel.onaudience.com", "QueryResults": "::ffff:85.194.243.23;::ffff:85.194.243.239;::ffff:85.194.240.137;::ffff:85.194.242.103;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", @@ -6286,9 +6559,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 203, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6301,6 +6575,7 @@ { "@timestamp": "2019-07-18T03:34:10.0675046Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6311,13 +6586,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.054\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: status.geotrust.com\nQueryStatus: 0\nQueryResults: type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "status.geotrust.com", "QueryResults": "type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;", @@ -6332,9 +6607,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 204, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6347,6 +6623,7 @@ { "@timestamp": "2019-07-18T03:34:10.0675293Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6357,13 +6634,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.126\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.trust-provider.com\nQueryStatus: 0\nQueryResults: type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ocsp.trust-provider.com", "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -6378,9 +6655,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 205, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6393,6 +6671,7 @@ { "@timestamp": "2019-07-18T03:34:10.0675508Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6403,13 +6682,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.184\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.comodoca4.com\nQueryStatus: 0\nQueryResults: type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ocsp.comodoca4.com", "QueryResults": "type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -6424,9 +6703,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 206, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6439,6 +6719,7 @@ { "@timestamp": "2019-07-18T03:34:10.0675942Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6449,13 +6730,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.322\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync.crwdcntrl.net\nQueryStatus: 0\nQueryResults: type: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:52.4.111.14;::ffff:52.205.68.184;::ffff:52.0.28.154;::ffff:34.225.82.232;::ffff:18.213.13.245;::ffff:52.22.171.66;::ffff:52.207.199.229;::ffff:52.72.57.144;192.5.6.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "sync.crwdcntrl.net", "QueryResults": "type: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:52.4.111.14;::ffff:52.205.68.184;::ffff:52.0.28.154;::ffff:34.225.82.232;::ffff:18.213.13.245;::ffff:52.22.171.66;::ffff:52.207.199.229;::ffff:52.72.57.144;192.5.6.30;", @@ -6470,9 +6751,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 207, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6485,6 +6767,7 @@ { "@timestamp": "2019-07-18T03:34:10.0676348Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6495,13 +6778,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.730\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: match.sync.ad.cpe.dotomi.com\nQueryStatus: 0\nQueryResults: type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:159.127.42.114;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "match.sync.ad.cpe.dotomi.com", "QueryResults": "type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:159.127.42.114;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;", @@ -6516,9 +6799,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 208, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6531,6 +6815,7 @@ { "@timestamp": "2019-07-18T03:34:11.066534Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6541,13 +6826,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:10.627\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tps10230.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "tps10230.doubleverify.com", "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", @@ -6562,9 +6847,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 209, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6577,6 +6863,7 @@ { "@timestamp": "2019-07-18T03:34:11.0665587Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6587,13 +6874,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:10.650\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tps10221.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "tps10221.doubleverify.com", "QueryResults": "type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;", @@ -6608,9 +6895,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 210, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6623,6 +6911,7 @@ { "@timestamp": "2019-07-18T03:34:17.2720222Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6633,13 +6922,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:16.329\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: www.facebook.com\nQueryStatus: 0\nQueryResults: type: 5 star-mini.c10r.facebook.com;::ffff:31.13.71.36;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "www.facebook.com", "QueryResults": "type: 5 star-mini.c10r.facebook.com;::ffff:31.13.71.36;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;", @@ -6654,9 +6943,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 212, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6669,6 +6959,7 @@ { "@timestamp": "2019-07-18T03:34:17.2721029Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6679,13 +6970,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:16.386\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: platform.twitter.com\nQueryStatus: 0\nQueryResults: type: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.163.25;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "platform.twitter.com", "QueryResults": "type: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.163.25;", @@ -6700,9 +6991,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 213, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6715,6 +7007,7 @@ { "@timestamp": "2019-07-18T03:34:17.2721343Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6725,13 +7018,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:16.482\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: syndication.twitter.com\nQueryStatus: 0\nQueryResults: ::ffff:104.244.42.8;::ffff:104.244.42.200;::ffff:104.244.42.136;::ffff:104.244.42.72;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "syndication.twitter.com", "QueryResults": "::ffff:104.244.42.8;::ffff:104.244.42.200;::ffff:104.244.42.136;::ffff:104.244.42.72;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;", @@ -6746,9 +7039,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 214, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6761,6 +7055,7 @@ { "@timestamp": "2019-07-18T03:34:21.5524909Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6771,13 +7066,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:19.578\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ade.googlesyndication.com\nQueryStatus: 0\nQueryResults: type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "ProcessGuid": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "ProcessId": "2736", "QueryName": "ade.googlesyndication.com", "QueryResults": "type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;", @@ -6792,9 +7087,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 215, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6807,6 +7103,7 @@ { "@timestamp": "2019-07-18T03:34:33.1481043Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6817,13 +7114,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:31.219\nProcessGuid: {FA4A0DE6-E8A8-5D2F-0000-001094619900}\nProcessId: 0\nQueryName: iecvlist.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;\nImage: C:\\Program Files\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "ProcessGuid": "{FA4A0DE6-E8A8-5D2F-0000-001094619900}", "ProcessId": "356", "QueryName": "iecvlist.microsoft.com", "QueryResults": "type: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;", @@ -6838,9 +7135,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 216, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6853,6 +7151,7 @@ { "@timestamp": "2019-07-18T03:39:03.6856902Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6863,13 +7162,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:39:02.752\nProcessGuid: {FA4A0DE6-B1A2-5D2F-0000-00106ACA0000}\nProcessId: 0\nQueryName: tsfe.trafficshaping.dsp.mp.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 tsfe.trafficmanager.net;::ffff:40.77.232.95;\nImage: C:\\Windows\\System32\\svchost.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Windows\\System32\\svchost.exe", - "ProcessGuid": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", + "ProcessGuid": "{FA4A0DE6-B1A2-5D2F-0000-00106ACA0000}", "ProcessId": "844", "QueryName": "tsfe.trafficshaping.dsp.mp.microsoft.com", "QueryResults": "type: 5 tsfe.trafficmanager.net;::ffff:40.77.232.95;", @@ -6884,9 +7183,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 220, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6899,6 +7199,7 @@ { "@timestamp": "2019-07-18T03:39:22.4321531Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6909,13 +7210,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:39:20.413\nProcessGuid: {FA4A0DE6-B1A2-5D2F-0000-00106ACA0000}\nProcessId: 0\nQueryName: isatap.local.crowbird.com\nQueryStatus: 9003\nQueryResults: \nImage: C:\\Windows\\System32\\svchost.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Windows\\System32\\svchost.exe", - "ProcessGuid": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", + "ProcessGuid": "{FA4A0DE6-B1A2-5D2F-0000-00106ACA0000}", "ProcessId": "844", "QueryName": "isatap.local.crowbird.com", "QueryStatus": "9003", @@ -6929,9 +7230,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 221, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6944,6 +7246,7 @@ { "@timestamp": "2019-07-18T03:39:42.5545393Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6954,13 +7257,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:39:40.504\nProcessGuid: {FA4A0DE6-E9F7-5D2F-0000-001031039C00}\nProcessId: 0\nQueryName: puppet\nQueryStatus: 9003\nQueryResults: \nImage: C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe", - "ProcessGuid": "{fa4a0de6-e9f7-5d2f-0000-001031039c00}", + "ProcessGuid": "{FA4A0DE6-E9F7-5D2F-0000-001031039C00}", "ProcessId": "676", "QueryName": "puppet", "QueryStatus": "9003", @@ -6974,9 +7277,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 230, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6989,6 +7293,7 @@ { "@timestamp": "2019-07-18T03:40:42.4472937Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -6999,13 +7304,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:40:40.433\nProcessGuid: {FA4A0DE6-B1A2-5D2F-0000-001016F70000}\nProcessId: 0\nQueryName: wpad\nQueryStatus: 9003\nQueryResults: \nImage: C:\\Windows\\System32\\svchost.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Windows\\System32\\svchost.exe", - "ProcessGuid": "{fa4a0de6-b1a2-5d2f-0000-001016f70000}", + "ProcessGuid": "{FA4A0DE6-B1A2-5D2F-0000-001016F70000}", "ProcessId": "636", "QueryName": "wpad", "QueryStatus": "9003", @@ -7019,9 +7324,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 231, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -7034,6 +7340,7 @@ { "@timestamp": "2019-07-18T03:42:55.556826Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7044,13 +7351,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:42:54.033\nProcessGuid: {FA4A0DE6-B1A3-5D2F-0000-00102F440100}\nProcessId: 0\nQueryName: v10.vortex-win.data.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:65.55.44.109;\nImage: C:\\Windows\\System32\\svchost.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Windows\\System32\\svchost.exe", - "ProcessGuid": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", + "ProcessGuid": "{FA4A0DE6-B1A3-5D2F-0000-00102F440100}", "ProcessId": "1788", "QueryName": "v10.vortex-win.data.microsoft.com", "QueryResults": "type: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:65.55.44.109;", @@ -7065,9 +7372,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 232, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -7080,6 +7388,7 @@ { "@timestamp": "2019-07-18T03:43:06.4599868Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7090,13 +7399,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:43:04.400\nProcessGuid: {FA4A0DE6-B1A3-5D2F-0000-00102F440100}\nProcessId: 0\nQueryName: settings-win.data.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 settingsfd-geo.trafficmanager.net;::ffff:20.36.218.63;\nImage: C:\\Windows\\System32\\svchost.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Windows\\System32\\svchost.exe", - "ProcessGuid": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", + "ProcessGuid": "{FA4A0DE6-B1A3-5D2F-0000-00102F440100}", "ProcessId": "1788", "QueryName": "settings-win.data.microsoft.com", "QueryResults": "type: 5 settingsfd-geo.trafficmanager.net;::ffff:20.36.218.63;", @@ -7111,9 +7420,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 233, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -7126,6 +7436,7 @@ { "@timestamp": "2019-07-18T03:49:52.1056327Z", "event": { + "action": "Dns query (rule: DnsQuery)", "code": "22", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -7136,13 +7447,13 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:49:51.154\nProcessGuid: {FA4A0DE6-E8A8-5D2F-0000-001094619900}\nProcessId: 0\nQueryName: c.urs.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:40.121.17.79;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\nImage: C:\\Program Files\\Internet Explorer\\iexplore.exe\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_data": { "Image": "C:\\Program Files\\Internet Explorer\\iexplore.exe", - "ProcessGuid": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "ProcessGuid": "{FA4A0DE6-E8A8-5D2F-0000-001094619900}", "ProcessId": "356", "QueryName": "c.urs.microsoft.com", "QueryResults": "type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:40.121.17.79;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;", @@ -7157,9 +7468,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 234, + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-11-filedelete.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-11-filedelete.evtx.golden.json index 74c449820de1..51e2aadcafee 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-11-filedelete.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-11-filedelete.evtx.golden.json @@ -2,6 +2,7 @@ { "@timestamp": "2020-05-07T08:14:44.4899785Z", "event": { + "action": "File Delete archived (rule: FileDelete)", "code": "23", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -12,8 +13,8 @@ "log": { "level": "information" }, + "message": "File Delete archived:\nRuleName: -\nUtcTime: 2020-05-07 08:14:44.489\nProcessGuid: {42F11C3B-C36F-5EB3-2C07-290000000000}\nProcessId: 2184\nUser: VAGRANT-2012-R2\\vagrant\nImage: C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe\nHashes: MD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2\nIsExecutable: true\nArchived: true", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -21,7 +22,7 @@ "Hashes": "MD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2", "Image": "C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe", "IsExecutable": "true", - "ProcessGuid": "{42f11c3b-c36f-5eb3-2c07-290000000000}", + "ProcessGuid": "{42F11C3B-C36F-5EB3-2C07-290000000000}", "ProcessId": "2184", "RuleName": "-", "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe", @@ -36,9 +37,10 @@ "id": 2360 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 612, + "task": "File Delete archived (rule: FileDelete)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -51,6 +53,7 @@ { "@timestamp": "2020-05-07T07:27:18.7221361Z", "event": { + "action": "File Delete archived (rule: FileDelete)", "code": "23", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -61,8 +64,8 @@ "log": { "level": "information" }, + "message": "File Delete archived:\nRuleName: -\nUtcTime: 2020-05-07 07:27:18.722\nProcessGuid: {42F11C3B-B2B6-5EB3-18AB-000000000000}\nProcessId: 776\nUser: NT AUTHORITY\\LOCAL SERVICE\nImage: C:\\Windows\\System32\\svchost.exe\nTargetFilename: C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat\nHashes: SHA1=115106F5B338C87AE6836D50DD890DE3DA296367\nIsExecutable: false\nArchived: true", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -70,7 +73,7 @@ "Hashes": "SHA1=115106F5B338C87AE6836D50DD890DE3DA296367", "Image": "C:\\Windows\\System32\\svchost.exe", "IsExecutable": "false", - "ProcessGuid": "{42f11c3b-b2b6-5eb3-18ab-000000000000}", + "ProcessGuid": "{42F11C3B-B2B6-5EB3-18AB-000000000000}", "ProcessId": "776", "RuleName": "-", "TargetFilename": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat", @@ -85,9 +88,10 @@ "id": 2360 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 11, + "task": "File Delete archived (rule: FileDelete)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -100,6 +104,7 @@ { "@timestamp": "2020-05-12T06:48:27.0840442Z", "event": { + "action": "File Delete archived (rule: FileDelete)", "code": "23", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -110,8 +115,8 @@ "log": { "level": "information" }, + "message": "File Delete archived:\nRuleName: -\nUtcTime: 2020-05-12 06:48:27.084\nProcessGuid: {42F11C3B-4664-5EBA-91AE-000000000000}\nProcessId: 820\nUser: NT AUTHORITY\\SYSTEM\nImage: C:\\Windows\\system32\\svchost.exe\nTargetFilename: C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d\nHashes: MD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000\nIsExecutable: false\nArchived: true", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -119,7 +124,7 @@ "Hashes": "MD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000", "Image": "C:\\Windows\\system32\\svchost.exe", "IsExecutable": "false", - "ProcessGuid": "{42f11c3b-4664-5eba-91ae-000000000000}", + "ProcessGuid": "{42F11C3B-4664-5EBA-91AE-000000000000}", "ProcessId": "820", "RuleName": "-", "TargetFilename": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d", @@ -134,9 +139,10 @@ "id": 1600 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2243, + "task": "File Delete archived (rule: FileDelete)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-11-filedeletedetected.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-11-filedeletedetected.evtx.golden.json index b4db5b63031d..164da2205620 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-11-filedeletedetected.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-11-filedeletedetected.evtx.golden.json @@ -2,6 +2,7 @@ { "@timestamp": "2022-01-24T05:12:34.3299803Z", "event": { + "action": "File Delete logged (rule: FileDeleteDetected)", "code": "26", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -12,15 +13,15 @@ "log": { "level": "information" }, + "message": "File Delete logged:\nRuleName: -\nUtcTime: 2022-01-24 05:12:34.328\nProcessGuid: {63A74932-A2B4-61EE-1B00-000000000700}\nProcessId: 1264\nUser: NT AUTHORITY\\LOCAL SERVICE\nImage: C:\\Windows\\System32\\svchost.exe\nTargetFilename: C:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat\nHashes: SHA256=A94808E7C66973B122F66EC6611019C745A9602F8E944F53635CAB58AEF35A79\nIsExecutable: false", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { "Hashes": "SHA256=A94808E7C66973B122F66EC6611019C745A9602F8E944F53635CAB58AEF35A79", "Image": "C:\\Windows\\System32\\svchost.exe", "IsExecutable": "false", - "ProcessGuid": "{63a74932-a2b4-61ee-1b00-000000000700}", + "ProcessGuid": "{63A74932-A2B4-61EE-1B00-000000000700}", "ProcessId": "1264", "RuleName": "-", "TargetFilename": "C:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat", @@ -35,9 +36,10 @@ "id": 3792 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 456, + "task": "File Delete logged (rule: FileDeleteDetected)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -50,6 +52,7 @@ { "@timestamp": "2022-01-24T05:12:51.04227Z", "event": { + "action": "File Delete logged (rule: FileDeleteDetected)", "code": "26", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -60,15 +63,15 @@ "log": { "level": "information" }, + "message": "File Delete logged:\nRuleName: -\nUtcTime: 2022-01-24 05:12:51.031\nProcessGuid: {63A74932-3523-61EE-AF00-000000000700}\nProcessId: 1364\nUser: NT AUTHORITY\\SYSTEM\nImage: C:\\Windows\\system32\\svchost.exe\nTargetFilename: C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000\nHashes: SHA256=D78FBF654D84DDF2CB4FE221F7D8B61E0DECDEE48A4687915E6E4A2296E2418B\nIsExecutable: false", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { "Hashes": "SHA256=D78FBF654D84DDF2CB4FE221F7D8B61E0DECDEE48A4687915E6E4A2296E2418B", "Image": "C:\\Windows\\system32\\svchost.exe", "IsExecutable": "false", - "ProcessGuid": "{63a74932-3523-61ee-af00-000000000700}", + "ProcessGuid": "{63A74932-3523-61EE-AF00-000000000700}", "ProcessId": "1364", "RuleName": "-", "TargetFilename": "C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000", @@ -83,9 +86,10 @@ "id": 3792 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 457, + "task": "File Delete logged (rule: FileDeleteDetected)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-11-registry.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-11-registry.evtx.golden.json index 0ef9ef3d650d..a9aaf5370b43 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-11-registry.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-11-registry.evtx.golden.json @@ -2,6 +2,7 @@ { "@timestamp": "2020-05-05T14:57:40.5995672Z", "event": { + "action": "Registry value set (rule: RegistryEvent)", "code": "13", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -12,15 +13,15 @@ "log": { "level": "information" }, + "message": "Registry value set:\nRuleName: -\nEventType: SetValue\nUtcTime: 2020-05-05 14:57:40.589\nProcessGuid: {5B522F6E-77AE-5EB1-2C03-000000000800}\nProcessId: 0\nImage: C:\\Windows\\regedit.exe\nTargetObject: HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1\nDetails: DWORD (0x00000004)\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { "Details": "DWORD (0x00000004)", "EventType": "SetValue", "Image": "C:\\Windows\\regedit.exe", - "ProcessGuid": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "ProcessGuid": "{5B522F6E-77AE-5EB1-2C03-000000000800}", "ProcessId": "6072", "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1", @@ -34,9 +35,10 @@ "id": 876 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2682, + "task": "Registry value set (rule: RegistryEvent)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -49,6 +51,7 @@ { "@timestamp": "2020-05-05T14:57:44.7232485Z", "event": { + "action": "Registry value set (rule: RegistryEvent)", "code": "13", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -59,15 +62,15 @@ "log": { "level": "information" }, + "message": "Registry value set:\nRuleName: -\nEventType: SetValue\nUtcTime: 2020-05-05 14:57:44.714\nProcessGuid: {5B522F6E-7554-5EB1-6D00-000000000800}\nProcessId: 0\nImage: C:\\Windows\\Explorer.EXE\nTargetObject: HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\nDetails: Binary Data\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { "Details": "Binary Data", "EventType": "SetValue", "Image": "C:\\Windows\\Explorer.EXE", - "ProcessGuid": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "ProcessGuid": "{5B522F6E-7554-5EB1-6D00-000000000800}", "ProcessId": "4320", "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", @@ -81,9 +84,10 @@ "id": 876 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2686, + "task": "Registry value set (rule: RegistryEvent)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -96,6 +100,7 @@ { "@timestamp": "2020-05-05T14:57:44.7260099Z", "event": { + "action": "Registry value set (rule: RegistryEvent)", "code": "13", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -106,15 +111,15 @@ "log": { "level": "information" }, + "message": "Registry value set:\nRuleName: -\nEventType: SetValue\nUtcTime: 2020-05-05 14:57:44.714\nProcessGuid: {5B522F6E-77AE-5EB1-2C03-000000000800}\nProcessId: 0\nImage: C:\\Windows\\regedit.exe\nTargetObject: HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2\nDetails: QWORD (0x00000000-0x00000005)\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { "Details": "QWORD (0x00000000-0x00000005)", "EventType": "SetValue", "Image": "C:\\Windows\\regedit.exe", - "ProcessGuid": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "ProcessGuid": "{5B522F6E-77AE-5EB1-2C03-000000000800}", "ProcessId": "6072", "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2", @@ -128,9 +133,10 @@ "id": 876 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2687, + "task": "Registry value set (rule: RegistryEvent)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -143,6 +149,7 @@ { "@timestamp": "2020-05-05T14:57:46.8188214Z", "event": { + "action": "Registry value set (rule: RegistryEvent)", "code": "13", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -153,15 +160,15 @@ "log": { "level": "information" }, + "message": "Registry value set:\nRuleName: -\nEventType: SetValue\nUtcTime: 2020-05-05 14:57:46.808\nProcessGuid: {5B522F6E-7554-5EB1-6D00-000000000800}\nProcessId: 0\nImage: C:\\Windows\\Explorer.EXE\nTargetObject: HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr\nDetails: Binary Data\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { "Details": "Binary Data", "EventType": "SetValue", "Image": "C:\\Windows\\Explorer.EXE", - "ProcessGuid": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "ProcessGuid": "{5B522F6E-7554-5EB1-6D00-000000000800}", "ProcessId": "4320", "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr", @@ -175,9 +182,10 @@ "id": 876 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2690, + "task": "Registry value set (rule: RegistryEvent)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -190,6 +198,7 @@ { "@timestamp": "2020-05-05T14:57:46.8188691Z", "event": { + "action": "Registry value set (rule: RegistryEvent)", "code": "13", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -200,15 +209,15 @@ "log": { "level": "information" }, + "message": "Registry value set:\nRuleName: -\nEventType: SetValue\nUtcTime: 2020-05-05 14:57:46.808\nProcessGuid: {5B522F6E-7554-5EB1-6D00-000000000800}\nProcessId: 0\nImage: C:\\Windows\\Explorer.EXE\nTargetObject: HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\nDetails: Binary Data\nUser: %9", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { "Details": "Binary Data", "EventType": "SetValue", "Image": "C:\\Windows\\Explorer.EXE", - "ProcessGuid": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "ProcessGuid": "{5B522F6E-7554-5EB1-6D00-000000000800}", "ProcessId": "4320", "RuleName": "-", "TargetObject": "HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA", @@ -222,9 +231,10 @@ "id": 876 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2691, + "task": "Registry value set (rule: RegistryEvent)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-12-loadimage.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-12-loadimage.evtx.golden.json index b4e1f9842a38..95a87f58e51f 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-12-loadimage.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-12-loadimage.evtx.golden.json @@ -2,6 +2,7 @@ { "@timestamp": "2020-10-28T02:39:26.3883252Z", "event": { + "action": "Image loaded (rule: ImageLoad)", "code": "7", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -12,8 +13,8 @@ "log": { "level": "information" }, + "message": "Image loaded:\nRuleName: -\nUtcTime: 2020-10-28 02:39:26.374\nProcessGuid: {9F32B55F-D9DE-5F98-F006-000000000600}\nProcessId: 0\nImage: C:\\Windows\\System32\\dllhost.exe\nImageLoaded: C:\\Windows\\System32\\IDStore.dll\nFileVersion: 10.0.17763.1 (WinBuild.160101.0800)\nDescription: Identity Store\nProduct: Microsoft® Windows® Operating System\nCompany: Microsoft Corporation\nOriginalFileName: IdStore.dll\nHashes: SHA1=9955A1C071C44A7CEECC0D928A9CFB7F64CC3F93,MD5=C7C45610F644906E6F7D664EF2E45B08,SHA256=4808F1101F4E42387D8DDB7A355668BAE3BF6F781C42D3BCD82E23446B1DEB3E,IMPHASH=194F3797B52231028C718B6D776C6853\nSigned: true\nSignature: Microsoft Windows\nSignatureStatus: Valid\nUser: %16", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { @@ -24,7 +25,7 @@ "Image": "C:\\Windows\\System32\\dllhost.exe", "ImageLoaded": "C:\\Windows\\System32\\IDStore.dll", "OriginalFileName": "IdStore.dll", - "ProcessGuid": "{9f32b55f-d9de-5f98-f006-000000000600}", + "ProcessGuid": "{9F32B55F-D9DE-5F98-F006-000000000600}", "ProcessId": "5184", "Product": "Microsoft® Windows® Operating System", "RuleName": "-", @@ -41,9 +42,10 @@ "id": 4796 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 10685, + "task": "Image loaded (rule: ImageLoad)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-12-processcreate.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-12-processcreate.evtx.golden.json index 6e0cba4335fc..5f0cbe1ac1c8 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-12-processcreate.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-12-processcreate.evtx.golden.json @@ -2,6 +2,7 @@ { "@timestamp": "2020-10-27T20:00:14.3242341Z", "event": { + "action": "Process Create (rule: ProcessCreate)", "code": "1", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -12,8 +13,8 @@ "log": { "level": "information" }, + "message": "Process Create:\nRuleName: -\nUtcTime: 2020-10-27 20:00:14.320\nProcessGuid: {9F32B55F-7C4E-5F98-5803-000000000500}\nProcessId: 0\nImage: C:\\Windows\\System32\\notepad.exe\nFileVersion: 10.0.17763.475 (WinBuild.160101.0800)\nDescription: Notepad\nProduct: Microsoft® Windows® Operating System\nCompany: Microsoft Corporation\nOriginalFileName: NOTEPAD.EXE\nCommandLine: \"C:\\Windows\\system32\\notepad.exe\" \nCurrentDirectory: C:\\Users\\vagrant\\\nUser: VAGRANT\\vagrant\nLogonGuid: {9F32B55F-6FDD-5F98-E7C9-020000000000}\nLogonId: 0x0\nTerminalSessionId: 0\nIntegrityLevel: Medium\nHashes: SHA1=B6D237154F2E528F0B503B58B025862D66B02B73\nParentProcessGuid: {9F32B55F-6FDF-5F98-7000-000000000500}\nParentProcessId: 0\nParentImage: C:\\Windows\\explorer.exe\nParentCommandLine: C:\\Windows\\Explorer.EXE\nParentUser: %23", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { @@ -25,14 +26,14 @@ "Hashes": "SHA1=B6D237154F2E528F0B503B58B025862D66B02B73", "Image": "C:\\Windows\\System32\\notepad.exe", "IntegrityLevel": "Medium", - "LogonGuid": "{9f32b55f-6fdd-5f98-e7c9-020000000000}", + "LogonGuid": "{9F32B55F-6FDD-5F98-E7C9-020000000000}", "LogonId": "0x2c9e7", "OriginalFileName": "NOTEPAD.EXE", "ParentCommandLine": "C:\\Windows\\Explorer.EXE", "ParentImage": "C:\\Windows\\explorer.exe", - "ParentProcessGuid": "{9f32b55f-6fdf-5f98-7000-000000000500}", + "ParentProcessGuid": "{9F32B55F-6FDF-5F98-7000-000000000500}", "ParentProcessId": "4212", - "ProcessGuid": "{9f32b55f-7c4e-5f98-5803-000000000500}", + "ProcessGuid": "{9F32B55F-7C4E-5F98-5803-000000000500}", "ProcessId": "3616", "Product": "Microsoft® Windows® Operating System", "RuleName": "-", @@ -48,9 +49,10 @@ "id": 6876 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 20, + "task": "Process Create (rule: ProcessCreate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-13-clipboardchange.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-13-clipboardchange.evtx.golden.json index 8285f5d3899b..5a7c5f38cdf0 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-13-clipboardchange.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-13-clipboardchange.evtx.golden.json @@ -2,6 +2,7 @@ { "@timestamp": "2021-02-25T15:04:48.6073435Z", "event": { + "action": "Clipboard changed (rule: ClipboardChange)", "code": "24", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -12,8 +13,8 @@ "log": { "level": "information" }, + "message": "Clipboard changed:\nRuleName: -\nUtcTime: 2021-02-25 15:04:48.592\nProcessGuid: {9497D8D9-AA1B-602F-A600-000000001000}\nProcessId: 0\nImage: C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\nSession: 0\nClientInfo: user: DESKTOP-I9CQVAQ\\luks\nHashes: SHA256=7ADB1CF1A75973079C055F929573AE92557A8C0E5B0E38A6A5427E412FB73D59,IMPHASH=00000000000000000000000000000000\nArchived: true\nUser: %10", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "DESKTOP-I9CQVAQ", "event_data": { @@ -21,7 +22,7 @@ "ClientInfo": "user: DESKTOP-I9CQVAQ\\luks", "Hashes": "SHA256=7ADB1CF1A75973079C055F929573AE92557A8C0E5B0E38A6A5427E412FB73D59,IMPHASH=00000000000000000000000000000000", "Image": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", - "ProcessGuid": "{9497d8d9-aa1b-602f-a600-000000001000}", + "ProcessGuid": "{9497D8D9-AA1B-602F-A600-000000001000}", "ProcessId": "2144", "RuleName": "-", "Session": "1", @@ -35,9 +36,10 @@ "id": 6444 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 10757412, + "task": "Clipboard changed (rule: ClipboardChange)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-13-processtampering.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-13-processtampering.evtx.golden.json index 6c767c9590d4..29454c962fc6 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-13-processtampering.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-13-processtampering.evtx.golden.json @@ -2,6 +2,7 @@ { "@timestamp": "2021-02-25T14:43:23.5512694Z", "event": { + "action": "Process Tampering (rule: ProcessTampering)", "code": "25", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -12,13 +13,13 @@ "log": { "level": "information" }, + "message": "Process Tampering:\nRuleName: -\nUtcTime: 2021-02-25 14:43:23.550\nProcessGuid: {9497D8D9-B78B-6037-6F13-000000001000}\nProcessId: 0\nImage: C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe\nType: Image is replaced\nUser: %7", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "DESKTOP-I9CQVAQ", "event_data": { "Image": "C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe", - "ProcessGuid": "{9497d8d9-b78b-6037-6f13-000000001000}", + "ProcessGuid": "{9497D8D9-B78B-6037-6F13-000000001000}", "ProcessId": "2628", "RuleName": "-", "Type": "Image is replaced", @@ -32,9 +33,10 @@ "id": 5080 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 10737797, + "task": "Process Tampering (rule: ProcessTampering)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-9.01.evtx.golden.json index 8e4ad21c812a..5afbd430e86c 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-9.01.evtx.golden.json @@ -2,6 +2,7 @@ { "@timestamp": "2019-03-18T16:57:37.933324Z", "event": { + "action": "Sysmon config state changed", "code": "16", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -12,8 +13,8 @@ "log": { "level": "information" }, + "message": "Sysmon config state changed:\nUtcTime: 2019-03-18 16:57:37.933\nConfiguration: C:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n\nConfigurationFileHash: ", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -28,9 +29,10 @@ "id": 4724 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 1, + "task": "Sysmon config state changed", "user": { "identifier": "S-1-5-21-3541430928-2051711210-1391384369-1001" }, @@ -40,6 +42,7 @@ { "@timestamp": "2019-03-18T16:57:38.011477Z", "event": { + "action": "Sysmon service state changed", "code": "4", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -50,8 +53,8 @@ "log": { "level": "information" }, + "message": "Sysmon service state changed:\nUtcTime: 2019-03-18 16:57:38.011\nState: Started\nVersion: 9.01\nSchemaVersion: 4.20", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -68,9 +71,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 2, + "task": "Sysmon service state changed", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -83,6 +87,7 @@ { "@timestamp": "2019-03-18T16:57:38.011477Z", "event": { + "action": "Process Create (rule: ProcessCreate)", "code": "1", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -93,8 +98,8 @@ "log": { "level": "information" }, + "message": "Process Create:\nRuleName: \nUtcTime: 2019-03-18 16:57:37.949\nProcessGuid: {42F11C3B-CE01-5C8F-0000-0010C73E2A00}\nProcessId: 0\nImage: C:\\Windows\\Sysmon.exe\nFileVersion: 9.01\nDescription: System activity monitor\nProduct: Sysinternals Sysmon\nCompany: Sysinternals - www.sysinternals.com\nOriginalFileName: C:\\Windows\\Sysmon.exe\nCommandLine: C:\\Windows\\system32\\\nCurrentDirectory: NT AUTHORITY\\SYSTEM\nUser: {42F11C3B-6E1A-5C8C-0000-0020E7030000}\nLogonGuid: 0x3e7\nLogonId: 0x0\nTerminalSessionId: 0\nIntegrityLevel: SHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E\nHashes: {42F11C3B-6E1A-5C8C-0000-0010F14D0000}\nParentProcessGuid: 488\nParentProcessId: 0\nParentImage: C:\\Windows\\system32\\services.exe\nParentCommandLine: %22\nParentUser: %23", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -106,13 +111,13 @@ "Hashes": "SHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E", "Image": "C:\\Windows\\Sysmon.exe", "IntegrityLevel": "System", - "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonGuid": "{42F11C3B-6E1A-5C8C-0000-0020E7030000}", "LogonId": "0x3e7", "ParentCommandLine": "C:\\Windows\\system32\\services.exe", "ParentImage": "C:\\Windows\\System32\\services.exe", - "ParentProcessGuid": "{42f11c3b-6e1a-5c8c-0000-0010f14d0000}", + "ParentProcessGuid": "{42F11C3B-6E1A-5C8C-0000-0010F14D0000}", "ParentProcessId": "488", - "ProcessGuid": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}", + "ProcessGuid": "{42F11C3B-CE01-5C8F-0000-0010C73E2A00}", "ProcessId": "4860", "Product": "Sysinternals Sysmon", "TerminalSessionId": "0", @@ -127,9 +132,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 3, + "task": "Process Create (rule: ProcessCreate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -142,6 +148,7 @@ { "@timestamp": "2019-03-18T16:57:38.011477Z", "event": { + "action": "Process Create (rule: ProcessCreate)", "code": "1", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -152,8 +159,8 @@ "log": { "level": "information" }, + "message": "Process Create:\nRuleName: \nUtcTime: 2019-03-18 16:57:37.964\nProcessGuid: {42F11C3B-CE01-5C8F-0000-00102C412A00}\nProcessId: 0\nImage: C:\\Windows\\System32\\wbem\\unsecapp.exe\nFileVersion: 6.3.9600.16384 (winblue_rtm.130821-1623)\nDescription: Sink to receive asynchronous callbacks for WMI client application\nProduct: Microsoft® Windows® Operating System\nCompany: Microsoft Corporation\nOriginalFileName: C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding\nCommandLine: C:\\Windows\\system32\\\nCurrentDirectory: NT AUTHORITY\\SYSTEM\nUser: {42F11C3B-6E1A-5C8C-0000-0020E7030000}\nLogonGuid: 0x3e7\nLogonId: 0x0\nTerminalSessionId: 0\nIntegrityLevel: SHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678\nHashes: {42F11C3B-6E1B-5C8C-0000-00102F610000}\nParentProcessGuid: 560\nParentProcessId: 0\nParentImage: C:\\Windows\\system32\\svchost.exe -k DcomLaunch\nParentCommandLine: %22\nParentUser: %23", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -165,13 +172,13 @@ "Hashes": "SHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678", "Image": "C:\\Windows\\System32\\wbem\\unsecapp.exe", "IntegrityLevel": "System", - "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonGuid": "{42F11C3B-6E1A-5C8C-0000-0020E7030000}", "LogonId": "0x3e7", "ParentCommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", "ParentImage": "C:\\Windows\\System32\\svchost.exe", - "ParentProcessGuid": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", + "ParentProcessGuid": "{42F11C3B-6E1B-5C8C-0000-00102F610000}", "ParentProcessId": "560", - "ProcessGuid": "{42f11c3b-ce01-5c8f-0000-00102c412a00}", + "ProcessGuid": "{42F11C3B-CE01-5C8F-0000-00102C412A00}", "ProcessId": "5028", "Product": "Microsoft® Windows® Operating System", "TerminalSessionId": "0", @@ -186,9 +193,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 4, + "task": "Process Create (rule: ProcessCreate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -201,6 +209,7 @@ { "@timestamp": "2019-03-18T16:57:38.9811378Z", "event": { + "action": "Process terminated (rule: ProcessTerminate)", "code": "5", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -211,13 +220,13 @@ "log": { "level": "information" }, + "message": "Process terminated:\nRuleName: \nUtcTime: 2019-03-18 16:57:38.981\nProcessGuid: {42F11C3B-CDF4-5C8F-0000-0010E61E2A00}\nProcessId: 0\nImage: C:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe\nUser: %6", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { "Image": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe", - "ProcessGuid": "{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}", + "ProcessGuid": "{42F11C3B-CDF4-5C8F-0000-0010E61E2A00}", "ProcessId": "4616", "UtcTime": "2019-03-18 16:57:38.981" }, @@ -229,9 +238,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 5, + "task": "Process terminated (rule: ProcessTerminate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -244,6 +254,7 @@ { "@timestamp": "2019-03-18T16:57:38.9811378Z", "event": { + "action": "Process terminated (rule: ProcessTerminate)", "code": "5", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -254,13 +265,13 @@ "log": { "level": "information" }, + "message": "Process terminated:\nRuleName: \nUtcTime: 2019-03-18 16:57:38.981\nProcessGuid: {42F11C3B-CDF4-5C8F-0000-0010071E2A00}\nProcessId: 0\nImage: C:\\Users\\vagrant\\Downloads\\Sysmon.exe\nUser: %6", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { "Image": "C:\\Users\\vagrant\\Downloads\\Sysmon.exe", - "ProcessGuid": "{42f11c3b-cdf4-5c8f-0000-0010071e2a00}", + "ProcessGuid": "{42F11C3B-CDF4-5C8F-0000-0010071E2A00}", "ProcessId": "4648", "UtcTime": "2019-03-18 16:57:38.981" }, @@ -272,9 +283,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 6, + "task": "Process terminated (rule: ProcessTerminate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -287,6 +299,7 @@ { "@timestamp": "2019-03-18T16:57:39.0127447Z", "event": { + "action": "Process Create (rule: ProcessCreate)", "code": "1", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -297,8 +310,8 @@ "log": { "level": "information" }, + "message": "Process Create:\nRuleName: \nUtcTime: 2019-03-18 16:57:39.012\nProcessGuid: {42F11C3B-CE03-5C8F-0000-0010E9462A00}\nProcessId: 0\nImage: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\nFileVersion: 6.3.9600.16384 (winblue_rtm.130821-1623)\nDescription: WMI Provider Host\nProduct: Microsoft® Windows® Operating System\nCompany: Microsoft Corporation\nOriginalFileName: C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\nCommandLine: C:\\Windows\\system32\\\nCurrentDirectory: NT AUTHORITY\\SYSTEM\nUser: {42F11C3B-6E1A-5C8C-0000-0020E7030000}\nLogonGuid: 0x3e7\nLogonId: 0x0\nTerminalSessionId: 0\nIntegrityLevel: SHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21\nHashes: {42F11C3B-6E1B-5C8C-0000-00102F610000}\nParentProcessGuid: 560\nParentProcessId: 0\nParentImage: C:\\Windows\\system32\\svchost.exe -k DcomLaunch\nParentCommandLine: %22\nParentUser: %23", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -310,13 +323,13 @@ "Hashes": "SHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21", "Image": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "IntegrityLevel": "System", - "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonGuid": "{42F11C3B-6E1A-5C8C-0000-0020E7030000}", "LogonId": "0x3e7", "ParentCommandLine": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", "ParentImage": "C:\\Windows\\System32\\svchost.exe", - "ParentProcessGuid": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", + "ParentProcessGuid": "{42F11C3B-6E1B-5C8C-0000-00102F610000}", "ParentProcessId": "560", - "ProcessGuid": "{42f11c3b-ce03-5c8f-0000-0010e9462a00}", + "ProcessGuid": "{42F11C3B-CE03-5C8F-0000-0010E9462A00}", "ProcessId": "4508", "Product": "Microsoft® Windows® Operating System", "TerminalSessionId": "0", @@ -331,9 +344,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 7, + "task": "Process Create (rule: ProcessCreate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -346,6 +360,7 @@ { "@timestamp": "2019-03-18T16:57:49.0897231Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -356,8 +371,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:47.847\nProcessGuid: {42F11C3B-0BAD-5C8C-0000-0010DFBC0000}\nProcessId: 924\nImage: C:\\Windows\\System32\\svchost.exe\nUser: NT AUTHORITY\\NETWORK SERVICE\nProtocol: udp\nInitiated: true\nSourceIsIpv6: true\nSourceIp: a00:20f:0:0:18a2:6e00:e0:ffff\nSourceHostname: \nSourcePort: 62141\nSourcePortName: \nDestinationIsIpv6: true\nDestinationIp: a00:203:3000:3000:3000:3000:3000:3300\nDestinationHostname: \nDestinationPort: 53\nDestinationPortName: domain", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -367,7 +382,7 @@ "DestinationPortName": "domain", "Image": "C:\\Windows\\System32\\svchost.exe", "Initiated": "true", - "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "ProcessGuid": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", "ProcessId": "924", "Protocol": "udp", "SourceIp": "a00:20f:0:0:18a2:6e00:e0:ffff", @@ -384,9 +399,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 8, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -399,6 +415,7 @@ { "@timestamp": "2019-03-18T16:57:49.0897231Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -409,8 +426,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.070\nProcessGuid: {42F11C3B-0BAD-5C8C-0000-0010DFBC0000}\nProcessId: 924\nImage: C:\\Windows\\System32\\svchost.exe\nUser: NT AUTHORITY\\NETWORK SERVICE\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 62141\nSourcePortName: \nDestinationIsIpv6: false\nDestinationIp: 10.0.2.3\nDestinationHostname: \nDestinationPort: 53\nDestinationPortName: domain", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -420,7 +437,7 @@ "DestinationPortName": "domain", "Image": "C:\\Windows\\System32\\svchost.exe", "Initiated": "false", - "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "ProcessGuid": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", "ProcessId": "924", "Protocol": "udp", "SourceHostname": "vagrant-2012-r2.local.crowbird.com", @@ -438,9 +455,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 9, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -453,6 +471,7 @@ { "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -463,8 +482,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.148\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nUser: VAGRANT-2012-R2\\vagrant\nProtocol: tcp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 1138\nSourcePortName: \nDestinationIsIpv6: false\nDestinationIp: 40.77.226.250\nDestinationHostname: \nDestinationPort: 443\nDestinationPortName: https", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -474,7 +493,7 @@ "DestinationPortName": "https", "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "Initiated": "true", - "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "ProcessGuid": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", "ProcessId": "1600", "Protocol": "tcp", "SourceHostname": "vagrant-2012-r2.local.crowbird.com", @@ -492,9 +511,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 10, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -507,6 +527,7 @@ { "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -517,8 +538,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.214\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nUser: VAGRANT-2012-R2\\vagrant\nProtocol: tcp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 1139\nSourcePortName: \nDestinationIsIpv6: false\nDestinationIp: 40.77.226.250\nDestinationHostname: \nDestinationPort: 443\nDestinationPortName: https", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -528,7 +549,7 @@ "DestinationPortName": "https", "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "Initiated": "true", - "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "ProcessGuid": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", "ProcessId": "1600", "Protocol": "tcp", "SourceHostname": "vagrant-2012-r2.local.crowbird.com", @@ -546,9 +567,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 11, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -561,6 +583,7 @@ { "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -571,8 +594,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.250\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 10.0.2.255\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -582,7 +605,7 @@ "DestinationPortName": "netbios-ns", "Image": "System", "Initiated": "true", - "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessGuid": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "ProcessId": "4", "Protocol": "udp", "SourceHostname": "vagrant-2012-r2.local.crowbird.com", @@ -601,9 +624,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 12, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -616,6 +640,7 @@ { "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -626,8 +651,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.250\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.0.2.255\nSourceHostname: \nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 10.0.2.15\nDestinationHostname: vagrant-2012-r2.local.crowbird.com\nDestinationPort: 137\nDestinationPortName: netbios-ns", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -638,7 +663,7 @@ "DestinationPortName": "netbios-ns", "Image": "System", "Initiated": "false", - "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessGuid": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "ProcessId": "4", "Protocol": "udp", "SourceIp": "10.0.2.255", @@ -656,9 +681,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 13, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -671,6 +697,7 @@ { "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -681,8 +708,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.250\nProcessGuid: {42F11C3B-0BAD-5C8C-0000-0010DFBC0000}\nProcessId: 924\nImage: C:\\Windows\\System32\\svchost.exe\nUser: NT AUTHORITY\\NETWORK SERVICE\nProtocol: udp\nInitiated: true\nSourceIsIpv6: true\nSourceIp: fe80:0:0:0:e488:b85c:5262:ff86\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 55542\nSourcePortName: \nDestinationIsIpv6: true\nDestinationIp: ff02:0:0:0:0:0:1:3\nDestinationHostname: \nDestinationPort: 5355\nDestinationPortName: llmnr", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -692,7 +719,7 @@ "DestinationPortName": "llmnr", "Image": "C:\\Windows\\System32\\svchost.exe", "Initiated": "true", - "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "ProcessGuid": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", "ProcessId": "924", "Protocol": "udp", "SourceHostname": "vagrant-2012-r2.local.crowbird.com", @@ -710,9 +737,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 14, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -725,6 +753,7 @@ { "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -735,8 +764,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.250\nProcessGuid: {42F11C3B-0BAD-5C8C-0000-0010DFBC0000}\nProcessId: 924\nImage: C:\\Windows\\System32\\svchost.exe\nUser: NT AUTHORITY\\NETWORK SERVICE\nProtocol: udp\nInitiated: true\nSourceIsIpv6: true\nSourceIp: a00:20f:0:0:18a2:6e00:e0:ffff\nSourceHostname: \nSourcePort: 55542\nSourcePortName: \nDestinationIsIpv6: true\nDestinationIp: e000:fc:4300:6800:7200:6f00:6d00:6500\nDestinationHostname: \nDestinationPort: 5355\nDestinationPortName: llmnr", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -746,7 +775,7 @@ "DestinationPortName": "llmnr", "Image": "C:\\Windows\\System32\\svchost.exe", "Initiated": "true", - "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "ProcessGuid": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", "ProcessId": "924", "Protocol": "udp", "SourceIp": "a00:20f:0:0:18a2:6e00:e0:ffff", @@ -763,9 +792,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 15, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -778,6 +808,7 @@ { "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -788,8 +819,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.250\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 169.254.180.25\nSourceHostname: \nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 169.254.255.255\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -799,7 +830,7 @@ "DestinationPortName": "netbios-ns", "Image": "System", "Initiated": "true", - "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessGuid": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "ProcessId": "4", "Protocol": "udp", "SourceIp": "169.254.180.25", @@ -817,9 +848,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 16, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -832,6 +864,7 @@ { "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -842,8 +875,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.251\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 169.254.255.255\nSourceHostname: \nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 169.254.180.25\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -853,7 +886,7 @@ "DestinationPortName": "netbios-ns", "Image": "System", "Initiated": "false", - "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessGuid": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "ProcessId": "4", "Protocol": "udp", "SourceIp": "169.254.255.255", @@ -871,9 +904,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 17, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -886,6 +920,7 @@ { "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -896,8 +931,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.251\nProcessGuid: {42F11C3B-0BAD-5C8C-0000-0010DFBC0000}\nProcessId: 924\nImage: C:\\Windows\\System32\\svchost.exe\nUser: NT AUTHORITY\\NETWORK SERVICE\nProtocol: udp\nInitiated: true\nSourceIsIpv6: true\nSourceIp: fe80:0:0:0:616f:32fa:b04f:b419\nSourceHostname: \nSourcePort: 55717\nSourcePortName: \nDestinationIsIpv6: true\nDestinationIp: ff02:0:0:0:0:0:1:3\nDestinationHostname: \nDestinationPort: 5355\nDestinationPortName: llmnr", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -907,7 +942,7 @@ "DestinationPortName": "llmnr", "Image": "C:\\Windows\\System32\\svchost.exe", "Initiated": "true", - "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "ProcessGuid": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", "ProcessId": "924", "Protocol": "udp", "SourceIp": "fe80:0:0:0:616f:32fa:b04f:b419", @@ -924,9 +959,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 18, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -939,6 +975,7 @@ { "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -949,8 +986,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.251\nProcessGuid: {42F11C3B-0BAD-5C8C-0000-0010DFBC0000}\nProcessId: 924\nImage: C:\\Windows\\System32\\svchost.exe\nUser: NT AUTHORITY\\NETWORK SERVICE\nProtocol: udp\nInitiated: true\nSourceIsIpv6: true\nSourceIp: a9fe:b419:0:0:f880:2301:e0:ffff\nSourceHostname: \nSourcePort: 55717\nSourcePortName: \nDestinationIsIpv6: true\nDestinationIp: e000:fc:0:0:0:0:0:0\nDestinationHostname: \nDestinationPort: 5355\nDestinationPortName: llmnr", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -960,7 +997,7 @@ "DestinationPortName": "llmnr", "Image": "C:\\Windows\\System32\\svchost.exe", "Initiated": "true", - "ProcessGuid": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "ProcessGuid": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", "ProcessId": "924", "Protocol": "udp", "SourceIp": "a9fe:b419:0:0:f880:2301:e0:ffff", @@ -977,9 +1014,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 19, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -992,6 +1030,7 @@ { "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1002,8 +1041,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.264\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 40.77.226.250\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -1013,7 +1052,7 @@ "DestinationPortName": "netbios-ns", "Image": "System", "Initiated": "true", - "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessGuid": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "ProcessId": "4", "Protocol": "udp", "SourceHostname": "vagrant-2012-r2.local.crowbird.com", @@ -1032,9 +1071,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 20, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1047,6 +1087,7 @@ { "@timestamp": "2019-03-18T16:57:49.3405807Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1057,8 +1098,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.276\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 10.0.2.3\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -1068,7 +1109,7 @@ "DestinationPortName": "netbios-ns", "Image": "System", "Initiated": "true", - "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessGuid": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "ProcessId": "4", "Protocol": "udp", "SourceHostname": "vagrant-2012-r2.local.crowbird.com", @@ -1087,9 +1128,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 21, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1102,6 +1144,7 @@ { "@timestamp": "2019-03-18T16:57:50.3572387Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1112,8 +1155,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:49.213\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 169.254.255.255\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -1123,7 +1166,7 @@ "DestinationPortName": "netbios-ns", "Image": "System", "Initiated": "true", - "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessGuid": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "ProcessId": "4", "Protocol": "udp", "SourceHostname": "vagrant-2012-r2.local.crowbird.com", @@ -1142,9 +1185,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 22, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1157,6 +1201,7 @@ { "@timestamp": "2019-03-18T16:57:50.3572387Z", "event": { + "action": "Network connection detected (rule: NetworkConnect)", "code": "3", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1167,8 +1212,8 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:49.218\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 169.254.180.25\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -1178,7 +1223,7 @@ "DestinationPortName": "netbios-ns", "Image": "System", "Initiated": "true", - "ProcessGuid": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "ProcessGuid": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "ProcessId": "4", "Protocol": "udp", "SourceHostname": "vagrant-2012-r2.local.crowbird.com", @@ -1197,9 +1242,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 23, + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1212,6 +1258,7 @@ { "@timestamp": "2019-03-18T16:57:52.3542746Z", "event": { + "action": "Process terminated (rule: ProcessTerminate)", "code": "5", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1222,13 +1269,13 @@ "log": { "level": "information" }, + "message": "Process terminated:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.350\nProcessGuid: {42F11C3B-CCC6-5C8F-0000-001005082900}\nProcessId: 0\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nUser: %6", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "ProcessGuid": "{42f11c3b-ccc6-5c8f-0000-001005082900}", + "ProcessGuid": "{42F11C3B-CCC6-5C8F-0000-001005082900}", "ProcessId": "4832", "UtcTime": "2019-03-18 16:57:52.350" }, @@ -1240,9 +1287,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 24, + "task": "Process terminated (rule: ProcessTerminate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1255,6 +1303,7 @@ { "@timestamp": "2019-03-18T16:57:52.3640428Z", "event": { + "action": "Process terminated (rule: ProcessTerminate)", "code": "5", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1265,13 +1314,13 @@ "log": { "level": "information" }, + "message": "Process terminated:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.364\nProcessGuid: {42F11C3B-CCCC-5C8F-0000-0010E8272900}\nProcessId: 0\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nUser: %6", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "ProcessGuid": "{42f11c3b-cccc-5c8f-0000-0010e8272900}", + "ProcessGuid": "{42F11C3B-CCCC-5C8F-0000-0010E8272900}", "ProcessId": "3208", "UtcTime": "2019-03-18 16:57:52.364" }, @@ -1283,9 +1332,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 25, + "task": "Process terminated (rule: ProcessTerminate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1297,7 +1347,11 @@ }, { "@timestamp": "2019-03-18T16:57:52.4021191Z", + "error": { + "message": "failed to get the event message string: failed in EvtFormatMessage: The message resource is present but the message was not found in the message table." + }, "event": { + "action": "File creation time changed (rule: FileCreateTime)", "code": "2", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1309,17 +1363,17 @@ "level": "information" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "error": {}, "event_data": { - "CreationUtcTime": "2019-03-18 16:52:04.980", - "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.387", - "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "ProcessId": "1600", - "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp", - "UtcTime": "2019-03-18 16:57:52.387" + "param1": "2019-03-18 16:57:52.387", + "param2": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "param3": "1600", + "param4": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "param5": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp", + "param6": "2019-03-18 16:52:04.980", + "param7": "2019-03-18 16:57:52.387" }, "event_id": "2", "opcode": "Info", @@ -1329,9 +1383,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 26, + "task": "File creation time changed (rule: FileCreateTime)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1343,7 +1398,11 @@ }, { "@timestamp": "2019-03-18T16:57:52.417733Z", + "error": { + "message": "failed to get the event message string: failed in EvtFormatMessage: The message resource is present but the message was not found in the message table." + }, "event": { + "action": "File creation time changed (rule: FileCreateTime)", "code": "2", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1355,17 +1414,17 @@ "level": "information" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "error": {}, "event_data": { - "CreationUtcTime": "2019-03-18 16:52:04.980", - "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.402", - "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "ProcessId": "1600", - "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp", - "UtcTime": "2019-03-18 16:57:52.417" + "param1": "2019-03-18 16:57:52.417", + "param2": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "param3": "1600", + "param4": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "param5": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp", + "param6": "2019-03-18 16:52:04.980", + "param7": "2019-03-18 16:57:52.402" }, "event_id": "2", "opcode": "Info", @@ -1375,9 +1434,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 27, + "task": "File creation time changed (rule: FileCreateTime)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1389,7 +1449,11 @@ }, { "@timestamp": "2019-03-18T16:57:52.417733Z", + "error": { + "message": "failed to get the event message string: failed in EvtFormatMessage: The message resource is present but the message was not found in the message table." + }, "event": { + "action": "File creation time changed (rule: FileCreateTime)", "code": "2", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1401,17 +1465,17 @@ "level": "information" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "error": {}, "event_data": { - "CreationUtcTime": "2019-03-18 16:52:05.028", - "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.402", - "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "ProcessId": "1600", - "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", - "UtcTime": "2019-03-18 16:57:52.417" + "param1": "2019-03-18 16:57:52.417", + "param2": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "param3": "1600", + "param4": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "param5": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", + "param6": "2019-03-18 16:52:05.028", + "param7": "2019-03-18 16:57:52.402" }, "event_id": "2", "opcode": "Info", @@ -1421,9 +1485,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 28, + "task": "File creation time changed (rule: FileCreateTime)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1435,7 +1500,11 @@ }, { "@timestamp": "2019-03-18T16:57:52.417733Z", + "error": { + "message": "failed to get the event message string: failed in EvtFormatMessage: The message resource is present but the message was not found in the message table." + }, "event": { + "action": "File creation time changed (rule: FileCreateTime)", "code": "2", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1447,17 +1516,17 @@ "level": "information" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "error": {}, "event_data": { - "CreationUtcTime": "2019-03-18 16:51:54.980", - "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.417", - "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "ProcessId": "1600", - "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", - "UtcTime": "2019-03-18 16:57:52.417" + "param1": "2019-03-18 16:57:52.417", + "param2": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "param3": "1600", + "param4": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "param5": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", + "param6": "2019-03-18 16:51:54.980", + "param7": "2019-03-18 16:57:52.417" }, "event_id": "2", "opcode": "Info", @@ -1467,9 +1536,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 29, + "task": "File creation time changed (rule: FileCreateTime)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1482,6 +1552,7 @@ { "@timestamp": "2019-03-18T16:57:52.4333673Z", "event": { + "action": "Process terminated (rule: ProcessTerminate)", "code": "5", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1492,13 +1563,13 @@ "log": { "level": "information" }, + "message": "Process terminated:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.433\nProcessGuid: {42F11C3B-CCAB-5C8F-0000-001064EB2700}\nProcessId: 0\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nUser: %6", "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "ProcessGuid": "{42f11c3b-ccab-5c8f-0000-001064eb2700}", + "ProcessGuid": "{42F11C3B-CCAB-5C8F-0000-001064EB2700}", "ProcessId": "2680", "UtcTime": "2019-03-18 16:57:52.433" }, @@ -1510,9 +1581,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 30, + "task": "Process terminated (rule: ProcessTerminate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1524,7 +1596,11 @@ }, { "@timestamp": "2019-03-18T16:57:52.4333673Z", + "error": { + "message": "failed to get the event message string: failed in EvtFormatMessage: The message resource is present but the message was not found in the message table." + }, "event": { + "action": "File creation time changed (rule: FileCreateTime)", "code": "2", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1536,17 +1612,17 @@ "level": "information" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "error": {}, "event_data": { - "CreationUtcTime": "2019-03-18 16:52:08.496", - "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.417", - "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "ProcessId": "1600", - "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", - "UtcTime": "2019-03-18 16:57:52.433" + "param1": "2019-03-18 16:57:52.433", + "param2": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "param3": "1600", + "param4": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "param5": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", + "param6": "2019-03-18 16:52:08.496", + "param7": "2019-03-18 16:57:52.417" }, "event_id": "2", "opcode": "Info", @@ -1556,9 +1632,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 31, + "task": "File creation time changed (rule: FileCreateTime)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1570,7 +1647,11 @@ }, { "@timestamp": "2019-03-18T16:57:52.4333673Z", + "error": { + "message": "failed to get the event message string: failed in EvtFormatMessage: The message resource is present but the message was not found in the message table." + }, "event": { + "action": "File creation time changed (rule: FileCreateTime)", "code": "2", "kind": "event", "provider": "Microsoft-Windows-Sysmon" @@ -1582,17 +1663,17 @@ "level": "information" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", + "error": {}, "event_data": { - "CreationUtcTime": "2019-03-18 16:52:05.339", - "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "PreviousCreationUtcTime": "2019-03-18 16:57:52.417", - "ProcessGuid": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", - "ProcessId": "1600", - "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", - "UtcTime": "2019-03-18 16:57:52.433" + "param1": "2019-03-18 16:57:52.433", + "param2": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "param3": "1600", + "param4": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "param5": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", + "param6": "2019-03-18 16:52:05.339", + "param7": "2019-03-18 16:57:52.417" }, "event_id": "2", "opcode": "Info", @@ -1602,9 +1683,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": 32, + "task": "File creation time changed (rule: FileCreateTime)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", From 37302c66098db75d4a342d6df3b1fe70d9488db0 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 13 Jan 2025 06:34:50 -0800 Subject: [PATCH 04/20] Remove unused renderer option --- winlogbeat/eventlog/config.go | 1 - 1 file changed, 1 deletion(-) diff --git a/winlogbeat/eventlog/config.go b/winlogbeat/eventlog/config.go index a4809d51378b..fc9efde20d23 100644 --- a/winlogbeat/eventlog/config.go +++ b/winlogbeat/eventlog/config.go @@ -49,7 +49,6 @@ func readConfig(c *conf.C, config interface{}) error { } type config struct { - Renderer string `config:"renderer"` // Name of the renderer to use. Optional. Name string `config:"name"` // Name of the event log or channel or file. ID string `config:"id"` // Identifier for the event log. XMLQuery string `config:"xml_query"` // Custom query XML. Must not be used with the keys from eventlog.query. From 74858cbfde679eaf8baa33733f5337bc949a7e4d Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 13 Jan 2025 07:07:24 -0800 Subject: [PATCH 05/20] Fix tests --- .../x-pack/pipeline.xpack.winlogbeat.yml | 18 ++++++++++++------ winlogbeat/tests/system/test_config.py | 13 ------------- 2 files changed, 12 insertions(+), 19 deletions(-) diff --git a/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml b/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml index 0f3927bb61df..818154eb7f18 100644 --- a/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml +++ b/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml @@ -65,8 +65,9 @@ steps: - label: ":windows: x-pack/winlogbeat Win 2019 Unit Tests" key: "mandatory-win-2019-unit-tests" command: | - Set-Location -Path .buildkite/scripts + Push-Location -Path .buildkite/scripts ./install_sysmon.ps1 + Pop-Location Set-Location -Path x-pack/winlogbeat mage build unitTest retry: @@ -93,8 +94,9 @@ steps: - label: ":windows: x-pack/winlogbeat: Win 2016 Unit Tests" command: | - Set-Location -Path .buildkite/scripts + Push-Location -Path .buildkite/scripts ./install_sysmon.ps1 + Pop-Location Set-Location -Path x-pack/winlogbeat mage build unitTest key: "mandatory-win-2016-unit-tests" @@ -122,8 +124,9 @@ steps: - label: ":windows: x-pack/winlogbeat: Win 2022 Unit Tests" command: | - Set-Location -Path .buildkite/scripts + Push-Location -Path .buildkite/scripts ./install_sysmon.ps1 + Pop-Location Set-Location -Path x-pack/winlogbeat mage build unitTest key: "mandatory-win-2022-unit-tests" @@ -156,8 +159,9 @@ steps: steps: - label: ":windows: x-pack/winlogbeat: Win 10 Unit Tests" command: | - Set-Location -Path .buildkite/scripts + Push-Location -Path .buildkite/scripts ./install_sysmon.ps1 + Pop-Location Set-Location -Path x-pack/winlogbeat mage build unitTest key: "extended-win-10-unit-tests" @@ -185,8 +189,9 @@ steps: - label: ":windows: x-pack/winlogbeat: Win 11 Unit Tests" command: | - Set-Location -Path .buildkite/scripts + Push-Location -Path .buildkite/scripts ./install_sysmon.ps1 + Pop-Location Set-Location -Path x-pack/winlogbeat mage build unitTest key: "extended-win-11-unit-tests" @@ -214,8 +219,9 @@ steps: - label: ":windows: x-pack/winlogbeat: Win 2019 Unit Tests" command: | - Set-Location -Path .buildkite/scripts + Push-Location -Path .buildkite/scripts ./install_sysmon.ps1 + Pop-Location Set-Location -Path x-pack/winlogbeat mage build unitTest key: "extended-win-2019-unit-tests" diff --git a/winlogbeat/tests/system/test_config.py b/winlogbeat/tests/system/test_config.py index 1f8c7685a35c..d2027357d545 100644 --- a/winlogbeat/tests/system/test_config.py +++ b/winlogbeat/tests/system/test_config.py @@ -52,19 +52,6 @@ def test_invalid_level(self): assert self.log_contains( "invalid level ('errors') for query") - def test_invalid_api(self): - """ - configtest - invalid api (file) - """ - self.render_config_template( - event_logs=[ - {"name": "Application", "api": "file"} - ] - ) - self.run_config_tst(exit_code=1) - assert self.log_contains("failed to create new event log: " - "file API is not available") - def run_config_tst(self, pcap=None, exit_code=0): config = "winlogbeat.yml" From d829c9a3bb7edde46a7a0eff52b2185027df182e Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 14 Jan 2025 00:30:51 -0800 Subject: [PATCH 06/20] Fix tests --- winlogbeat/_meta/fields.common.yml | 11 ----------- winlogbeat/docs/fields.asciidoc | 10 ---------- winlogbeat/eventlog/config.go | 2 +- winlogbeat/eventlog/eventlog.go | 11 ----------- winlogbeat/include/fields.go | 2 +- winlogbeat/sys/wineventlog/renderer_test.go | 4 ++-- .../sys/wineventlog/testdata/original.evtx | Bin 69632 -> 69632 bytes winlogbeat/sys/wineventlog/testdata/raw.evtx | Bin 69632 -> 69632 bytes winlogbeat/sys/wineventlog/util_test.go | 1 - winlogbeat/tests/system/test_wineventlog.py | 10 ++++++---- winlogbeat/tests/system/winlogbeat.py | 6 ++---- 11 files changed, 12 insertions(+), 45 deletions(-) diff --git a/winlogbeat/_meta/fields.common.yml b/winlogbeat/_meta/fields.common.yml index c1bef43568ec..b4ad8338ef89 100644 --- a/winlogbeat/_meta/fields.common.yml +++ b/winlogbeat/_meta/fields.common.yml @@ -23,13 +23,6 @@ All fields specific to the Windows Event Log are defined here. fields: - - name: api - required: true - description: > - The event log API type used to read the record. The possible values are - "wineventlog" for the Windows Event Log XML reader or "wineventlog-raw" for its - more performant implementation. - - name: activity_id type: keyword required: false @@ -499,10 +492,6 @@ version of Winlogbeat. These are added to the index template when `migration.6_to_7.enable: true` is set in the configuration. fields: - - name: type - type: alias - path: winlog.api - migration: true - name: activity_id type: alias diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index c669e55bd3e8..bbdf5245118e 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -16279,16 +16279,6 @@ All fields specific to the Windows Event Log are defined here. -*`winlog.api`*:: -+ --- -The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log XML reader or "wineventlog-raw" for its more performant implementation. - - -required: True - --- - *`winlog.activity_id`*:: + -- diff --git a/winlogbeat/eventlog/config.go b/winlogbeat/eventlog/config.go index fc9efde20d23..bc75a80f7108 100644 --- a/winlogbeat/eventlog/config.go +++ b/winlogbeat/eventlog/config.go @@ -36,7 +36,7 @@ type validator interface { func readConfig(c *conf.C, config interface{}) error { if err := c.Unpack(config); err != nil { - return fmt.Errorf("failed unpacking config. %v", err) + return fmt.Errorf("failed unpacking config. %w", err) } if v, ok := config.(validator); ok { diff --git a/winlogbeat/eventlog/eventlog.go b/winlogbeat/eventlog/eventlog.go index 555b071d6590..35188f2d820c 100644 --- a/winlogbeat/eventlog/eventlog.go +++ b/winlogbeat/eventlog/eventlog.go @@ -23,20 +23,9 @@ import ( "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/winlogbeat/checkpoint" "github.com/elastic/beats/v7/winlogbeat/sys/winevent" - "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" ) -// Debug selectors used in this package. -const ( - debugSelector = "eventlog" -) - -// Debug logging functions for this package. -var ( - debugf = logp.MakeDebug(debugSelector) -) - // EventLog is an interface to a Windows Event Log. type EventLog interface { // Open the event log. state points to the last successfully read event diff --git a/winlogbeat/include/fields.go b/winlogbeat/include/fields.go index e372ca95ed2e..0cd9a9f1d76a 100644 --- a/winlogbeat/include/fields.go +++ b/winlogbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetBuildFieldsFieldsCommonYml returns asset data. // This is the base64 encoded zlib format compressed contents of build/fields/fields.common.yml. func AssetBuildFieldsFieldsCommonYml() string { - return "eJzsvft7GzeyKPh7/gqsZr+VlEO2SL0sa+/sXkWSE33HD40lT+Yknk8Eu0ESoybQAdCSmbPnf98PVQAa/ZBMyaJjZ3xvjociu4GqQqFQVajHX8jPR29fn73+8f8gJ5IIaQjLuCFmxjWZ8JyRjCuWmnzRI9yQW6rJlAmmqGEZGS+ImTFyenxBCiX/xVLT++4vZEw1y4gU8P0NU5pLQQ6SQTLoZ+wm+e4v5DxnVDNywzU3ZGZMoQ+3tqbczMpxksr5FsupNjzdYqkmRhJdTqdMG5LOqJgy+MoOPeEsz3Ty3Xd9cs0Wh4Sl+jtCDDc5O7QPfEdIxnSqeGG4FPAVeeHeIe7tw+8I6RNB5+yQrP9vw+dMGzov1r8jhJCc3bD8kKRSMfhbsd9Krlh2SIwq8SuzKNghyajBP2vzrZ9Qw7bsmOR2xgSQit0wYYhUfMqFJWHyHbxHyKWlN9fwUBbeYx+Moqkl9UTJeTVCz07MU5rnC6JYoZhmwnAxhYnciNV0nYumZalSFuY/m0Qv4G9kRjUR0kObk0CeHrLHDc1LBkAHYApZlLmdxg3rJptwpQ283wBLsZTxmwqqghcs56KC662jOa4XmUhFaJ7jCDrBdWIf6Lywi76+PRju9wd7/e2dy8HB4WDvcGc3Odjb+WXdrc6Elrm5gqHCIvrlz+mY5bpz4XGV5dhyOHyBH6/w+2u2uJUq62CA41IbObcPbCGtCsqVDrgdU0HGjJR2uxhJaJaROTOUcDGRak7tIPZ7hyu5mMkyz2CLplIYygURTNslRXCAre3/O8pzXBtNqGJEG2kJSLWHNABw6gk3ymR6zdSIUJGR0fWBHjlytCj832u0KHKeAnRrh2RtImV/TNVaj6wxcWO/KZTMyhR+/59lCD9nWtMpu4fyc2rS2ZUU+eLKsA+mg9IvpCK5nDpaASu5YR3jOIrhT/ZJ93OPyMLwOf89sKxlsRvObu124oJQeNp+wVQgnJ1OG1WmprSkzeVUk1tuZrI0hIpqx9Rg6BFpZkw5yUNSXP1UipQaJqJNY6QFYk4omZVzKvqK0YyOc0Z0OZ9TtSAy2qzxDp6XueFFHnDXhH3g2kqLGVtUE87HXLCMcGEkkSI83Vzrn1ieS/KzVHm2xCoaOr1v88SbhE+FVOyKjuUNOyTDwfZue0Vfcm0snu49HXaJoVPCaDrz2NfZ89eY+5Alt9f+uQwX0ikTyFnuBDkKX0yVLItDst3Bd5czhm+GVXU708lxSujYMgVK3Im5tRvSympjz9OJWzoqFnaNqN3YeW63co9kzOAHqYgca6Zu7HIie0vLljNpV1YqYug102TOqC4Vm9sH3LDhseaG14SLNC8zRn5g1IoWwFWTOV0QmmtJVCns225epRM4PAHR5HuHqhtSz6w8HrNK9MNOsPBTnmvPq0gkVQph95VEAlnYIvyUG/J2xlR8UMxoUTDLsRZZ2NkBVThELAGE496JlEZIY3nBI3tIznC61CodcoJIwz63G7dXwZdYViBO8RkzapJovx+dvwIVyB3SdYTcitOi2LKo8JQlpOKNWKBnknnSgSQHnYbwCXIL18Qe5cTMlCynM/JbyUo7vl5ow+aa5Pyakf+kk2vaI29ZxpE/CiVTpjUXU78o7nFdpjMr+F/KqTZUzwjiQS6A3I5kuEGBye/ZJ7HGVO2accnzLPHyzs3elABdMuBOKdDcYacfDBOZ1RDsVDVSThw/4Np5Hne6FIp9q1QJN4CRYXdSsegYD3YgxYVAFSgMaXdGoeQNz1jP6kS6YCmf8JTg26B7cR00REfZSDLNmVE8tTwVVOJnyX4yIBt0nu3vbvZIzsfwM3796z7d3mEHk4PJzmCyNxgMx3Rnd5ftsr3d7CB7no4PttPxcPAsDSBafAzZHmwP+oPt/mCPbO8cDgeHwwH5j8FgMCDvLo//GShcW+EJzTWrLSsrZmzOFM2veFZfVOaW4wkW1s9BeGYl4oQzhdKCa7dvNvgEDig4xfRmc4m5VYbUHBRPbxvQVEltF0Ibqqz4HJeGjJBDeDaC7Wc3XnuFDuiuJfSkRogm+k/D0+8E/81qzg/HO2hsViKhHIP3bkE1HDMCUot3MKBDL6uhZ/9dBYJO8QVxGh8ArRXUhOJTePqhhjLlNww0Xyrca/i0+3nG8mJS5lZmWgngMAwDm1tJXjj5TbjQhorUacKN40fbieEMskzitC1SaVusoAokQxibayIYy9C8vZ3xdNaeKgjyVM7tZNZyi/A+m1j54Q8aQBVPIP+VnBgmSM4mhrB5YRbtpZxIWVtFu1CrWMXLRXHP8vnDzU5AaH5LF5poY/8NtLXWhJ551sRldYYevmuVuqQijQhHdKBq9SyyuJtozKpHQGPhk9rCVyvWZIDa4s9pOrPWZpvE8Tiezk5wr4DUf3dHQp3YDZj2wYWi0u1Ya9U1lbU0Usi5LDW5AA3gI+rrkSC0egWVBrJxdLGJG9Mpow6wVArBwBdxJgxTghlyrqSRqfTn/sbZ+SZRsoTTsFBswj8wTUqRMTyn7emrZG4Hs9JNKjKXihHBzK1U10QWTFEjldVvvfuAzWg+sS9QYtWbnBGazbng2tideeN1aTtWJueoeFNDnEcEkZjPpeiRNGdU5YvqBAQbKEArc54uwL6YMVAZLILJJ+tHopyPg1573xGay6C81ZbIHRU4DqF5LlPQsR2kreVzamf4OmwEt7puoI2ji9ebpITB80V1Emm0rcKS4F45q9EjYsnh3nD/eQ1hqaZU8N9BbCbt4+VT1Aewbq9iKkci0LsFyL1Og47lq5SfBuXfRJjALC3sf5TScuTLl8fRjkxz3jAkj6tv7rEkj9ybdut57qTasSM33O4M3Ah+cdyGdJqwBw4tRMWmVGVgOVjDQArdi55Hq2HM0bXLpaA5meTyliiWWmO75ue4PD53o+I5VYHZgs1+YR+PIIPtqJkI9qJ95uK/XpOCptfMbOjNBGZB10jhBEprKnRfWkWvNqk3dBVo3kxbOJwp5qlkFBWaAjAJuZBzFoyjUqORaZiakzXvk5VqrXLDKDbxssuBIhoIatxw7mfnBMCVHbNgBIMTICKA24wWLDH1y1xNEcOPbg7HRH4Ce5aVurQEcaNW1jcXFrx/lQIXAIxxNK+9x7xjsIq+QprWkFbNwvXqwz72LsngyMTxtvw8wSUNmwcVN5plRLM5FYancBKwD8bpeOwDau89VKm8HNBB0zOS3HCLLv+dVZ4ViyhTYM9pbkrqluNsQhayVGGOCc1zz3z+fLAydCrVomcf9SqKNjzPCRO6VE4fdX5wq8ZkTBvLHpaklmATnudBjNGiULJQnBqWL57AqqZZppjWq7K8YBega8XxnJvQaUlB/MzHfFrKUucL5HJ4JwjSW0suLecM7gVIzjU4P8/Oe9aIxtNYKkLtMfOBaGn5JyHkvyqKB62x0qFwfyh662Hy+2GUuC9GSLK6LioIN5GqmZXoo8aDcpTwYmRBGSUI1qhHMlYwkTljADV5KSogwM/jVrLStZJ/u+Oc6uTf9kSPvFwLw/RH1P5oxdEnVH+tBsgP9gd09IV7PbcTHSOgIG0v0MFuDTBk55XYflbK4h6OrXgHpWPOhjWPd1xzurBbED3P8LKVB5PSHi6/WRk+4SyLxwZlhArUAOxLYVRB0YIGeuJWqObImLIGQCBguHTxd6wARZa5y9MwKBOKp7O5PVW7LOvE/ZGk7h1P6ymTScrN4mpFTpNja8d0cuUrazcx516tgSOF4YIJc5XKbBUwXd7Kfs6MYfY4zVj9rjnMvq674X599N1HNmg3Misi8OuYj/1kbaClMjNyNGeKp7QDyFIYtbjiWq6K5sc4BTm7eANEb0F4fHQnWKtiTQdS5yofU0GzNqXgZPu4t2TK5FUheVAr6peAUky5KTNUwXJq4I8WBOv/TdZyuI3uP9tJ9oe7BzuDHlnLqVk7JLt7yd5g7/nwgPzPegvIpz3OGk5ezVTfq1LRT2jEefL0iHNyoWItJ2SqqChzqrhZxDrRgqRWNwNLIhK8x17lCS5E5HCuUElOmT3snT01yaVUTmfogctsxitrpVIuELycFLOF5vaDv7FMvYzSEQivpYkiQOCelqNjaQ66zZRJj21b4o6lNlL0s7S1NoXUhuar2mXr5zA8ijWqtUx5dXeJMQIO5ArRv7uYikrbd1dQ4bopXKCOGbkW8lZY244SiwpMJBX55eycRDgRYG1QpW+oWpBbnlkNDk41t6vx4go+tun3fHewO3iImFVsyqVYpQB7CzPcJ7/6fzu+C64VSTAHU6cA+1vJxqzNf9aq+b2yCZ70WJ0xDIb6HfygkxrD9cKt7dnR66PouU7g3UG1daSmcCzTrR9KJqS+OuIqUj4/whi8+AiW4YEaHmfnwUqr64cbZ+c3u5bbz85v9jeT2lxzmq5iP786Ou4GpnFpIaQJt8dz6hTwty+OybPB7jbcv2O0IcsOyak1nmRqmCEb4BDgukcO+mNeqahWx9/Eq1+nGrlgtltJfi2LgqmUavZPMmMfaMZSPqc5yfiUG7j7sWqU8VptGNOBjxNbASJIKTSfuqAdNmUqIRdlCnf+N+5BF+uFd1YIAw0jzhbFjHVI38GgPxj0907h353+9k5tpQQ1SZMzOs/Hbu5Yv1RUaPQgnZ1brJw/BQNEXx9dBuck2WDJNHF+dyuVK5cpQU+cd8nXLoHDoRP544hRFC5qxJTkkmZkTHMqUjgDJ1yxW5rn6P9UsrRHY8PKt0gXUpmHGfne5NNG8W7LP6aGHf9roQf6/R5g/dawPse3H2XrbtfhaK3JMib43etx7tYgFhTxfPY80oYpll11WdlPpydaoTTj0xnTJprU0wjn7gEiRcEyD7Iux/hTtP4vqttw1Pei4Zy9bfWVtYaVu2bF11r8Rbdh767fM2aYmoNWWyiWcm31FVCbKPoAIUYJgnnLcc5TosvJhH8II8IzGzNjisOtLXwEn0ikmm4m5FItQCxKVLQ+cKtFopI1XhDN50W+IIZeV+uKPsOcagNiFyNXUacS0hBwfd2yPAfsL1+eVHFRa6lMyuu1tmC8ywkQyL5KbgiTANMHk+EeF4qP54tU+Dz3rAL6OmEfUlaYKuwOXqvuZlvsnsB9PCUFVYZHFw2kBQEID45z2f9zv6M2U9k1YICUdk3szCkV1U0DqfNVL6JAiNttITRmubztZvPuPVHfNzFt125vbxNGtUnmCzcCMgbuDKrNWhSlgEC4UWZUV2G3gCuoH2GaSptb0+V4O9HleFjbfL0aE1fgoUHhXNo+bq0aY62He05IK+B5DpfYTHHZEfpjEVhWEzSyuAI0PoPUY5OJPaRumJ3VMYrDfoNdvjzZ7KExFSypiu6BaCg6ev46EoSAZVnPK9EmSdoCsjlvGDYKLLKrBHzwdUtGkIp3CcVqJZYTj/B9jW9KzVSyWpaJ/Xd4cy0V3gfbyTFkZc7gPkRO7joWqSAvT47OIRAWMT4JQ8W8st7Gjs0pz1eE3DuLAUzgjZikDYCVnh0G8ld0A2PRXNfVMQBOKHpDeU7HeYdxm4+ZMuSUC22YY6waReB69Q9jO5h99XyHSK4sELcdjOrjqhE/Hy8HVz5bRU6NVa472BPhXKFLNV4JnKwNxIzq2ao4wVEKpI2dBx1zSjFr1bUi06kTS4JQIcUiTjFC+yRilXeauYjWEWDBM7yvhj8sdqOgAqRSTHCtaF6bk4qsQ6uCCMsOplpJYPMdcc1IstbuvugP+3v97WF/e7C9u737fLj97OBZf3v/+fbu9vPdwW5/e2dv+Hxv/9nBfn84GAzaSDyds/Azy8GLmbU+0V0PWShc3EsqmrA7ZaCSefNy+slY/kgpCulmwMowk7+vAL9kPRGtAfT6r2vXfEwFvYKYzbUeWVMMtG4xvbID+sSsO+lWxdTJEgEPIXX+i7sj6jDVl+DuDBEWMBQYLGKiaMjhq9BAPxrGbntnAkRwkzuziybkVZXdwXUcZk4FOT3eRovLbtAJM+mMabibiUYn3GiX0FUBaTd3PW+xllDGdQhfroPgxlWlcJliis2lCcHORJZG84xFMzUhQ5gocalMHiHPOqJ61d0r1VMscdBqIMjZcpN7h48dlusKVEewKB/aA+ei1FxYgWb5pO/SXtF6hadcClLyPYpB+MpQNWUm+Z4QI2vMPfbBApg9Z5/yMK2v64j6XrR6jF1EmZxYItRYRCpL1qm0WLhQRN0jiukC9ep8kZCf5C27YSoimWZGkw4E3KANNOalNdulcVmjE7hpC/dVSkrjQA+DE+e0hlPACwNZUaHigAg1iENKTUnzsFCO0pimh7didoE8A/vZGojYFbMiMuQ4OzLGk3kyBqJV9PSpvNInXsVRHgZDW8OatRcNw0U8bHdQdAkIW8tawXYHRdsc1QHdEwQJpnApuDrFcL3ag24uYPM4iIpnIS/XHfoLkvHJhKnYXQ23xxyyTq2qbI/avmGCCkOYuOFKinn9nqaSrUc/X4TJedbzAVog/8mbtz+SswwzZCF4qGzqH23LdX9//9mzZwcHB8+fP+8k5ypDAtoE9SoAzTnV99Ay0DDQ6NNoicZXi5oZ10VOF7EpEvuRsCxHP2M3y7qTnG3Hc24WV+3b1KdTVKJ58LaU+7BOOCnxbFUMb1yAZapTiLgozJYGU+o+o9r0h/XbYZ9TtLqtd+Zzyc5OvEgGFcIf+E1AeX+4vbNrVeXnAzpOMzYZdEO8Qu4OMMfxgm2oo2tg+LKdvPZkEL3yOkeUx3YvGc12MmcZL+s+f3egfZO3TyJvlxAaDYJ/k8hPKZE9cf9Mgnl5tL8e0f0InP544b480F+++F8eF1f77LOcDG6uWOZ2SZaaHDkP7/TI0e+lYtE3HZUqFn03ySPJ8HnktScERsUtSwKUsnUidIvW+YI8mgzWWl0mS+iTo9g9JWDCxCMfF/+it7pHqMW3R6ZpUd02S4VxaDSXKaOi7XK8XTp60CGOEZwrQtsFcD7p4fFA/Hxhn8/D3x4RXxYiLmOTcW24mJZcz/xzuuGkg+pPlbLir22wTBloKp5teoRNQRM5Pd4mN5q8pPNxRnvkx+Nz8uPxKbmpNJyjoiCnYspF2EN/f2Vfsd+7kkJdO5EWBWHuNfvZgdxzmKpS9MiEqik1rEdymL69H/H7ZZfs310k/7vL4j+ZEI6DEr8+ERuC574J0K9GgDof+Tenx+dyejQI/s3p8ZROD0/cfzOnh0P7T+X0aOL0VTg9HNB/CqeHw+XfXcNukOHfVdGuyPBn0reXR/zr1MiXx++bzv6l6+whSE5m7ErzqaCm9KXXXbSczBi5qP1yd9jc5Yxp1qxmXoszhfizMRdULTB9PkyqP71gYsanTJsrmk+l4mY2XyXPzaieQf01P1nQfC1GmKiBlbXvTvuocWWgAzb8oNhAhWvikndDohBUzApD+o4clunhSQUFaV3mSMXPSJsK3Da/6Bnd3ttfdotjeeE6hVsBtGMpc0ZFFxF/wJ8gDJoWEEbJsVKno4NF3WVFt6NDLRt8JP4zch3wqd3nKyxHbRkiClxelhN4h7nkKsH7LhlkTkU5oa5XxHhhKeRbAdwwkUmVRGOyqnK5Yjm7oZgoe1RYvvn+zQUErHVl5MwTOydLPhSpPY4/LJamraGmXFmxuaMs467EZFuKwHnOlMF0QeZA6abxpMx9zf4plB9Si8LIqaLFjKeEKSWVrsIh41FvaM6zuJyKVFYIaePnIy8ZvWGkFFEVxYlPzIdXq1e8FlKNH4a9tbazSGcsve4qAX/69u2bt1fvXl++fXdxeXpy9fbNm8ul16jEjjMrKo9xgcPXS3150R60uqogFU+VtDxMjqUqZK1I9scVC0bnK97Hdoqn3MwwnlRut7pyxH4Lu4YjUbxp5Rx52B4+/dtP//jl4NXB0d+XpqXvyLQENbOKVWsUO7FbhIqM1DtV1U/2Rg8pKOwNZ1pbrm8Ptof9gf3vcrh9OBwc7gx+WVrOwx5jyzDHPefS+oWR9hCGpYv2ecfeJemsni/8d7vhMby4ev2u93xQeirnvt5kD0k549XxXsvk9eHGlaSxp7+UuXbtJ1y4OAExgnoBCqkWuzzsBAVJ9ol07T7wMTEOrKr60X/DFOaJ0ynlIqrrZ98ICqRV8WNPYacspjXif0TQLkOYSmsGDdfJuKAwx1/eU7Q5PFgvzOtK5raaeUW9gFz/EAdkgCJE7JvQog3D5KvI8e+8wIr09BnLiygVDVIvsKpIGFm7pA6xsLaH3etPEIOeFmVShuZd9zOWTmnOsqtJLmlnsbf1c6ZSq+Yen79DGqLRy7Xr8sF/r/rEubqncgJP2zMwKn0gMsINUdgQBLAeWJYdJuQipZApb7UxqewpMhgE/tH441X847K7K+P6OlGMZklHrdAHVYiF80vavVThCGOSjSktp2wTGlQQjeV/sCbEBp1OFZtGLcRcWhHNcwBNbxLNRcqqdHDsRxOV+F/alwmo3ipu2GfA1c5jmPgD0V1lomS17XlWj47mczpdqdMl9qjBZCHDCQGyIhY7Cnla1UEzdLoiyCqZ6uCi00YyfNSp8f7po46N9/RsbHr9YVbX/rA275zNpVo8ncB7BeMRGI8UKP3sx+UFWGD/JxNkK2S5amFFqGQXpsUK1QmbQu2DpxAsd4kUKEVlz2F7IOd5KI4NFbUmNG07Zqpd8WRSxePLxeoQDr1VPeZ/JMJO51gRa73F0cmcCjpF3Z3rCo2WkYLtTiM10GpMV9ooRuexInhiFamL6uuPdIKMRvGamaHXDAvScIGF9b1pIditazVXjR9KXut0xqIrnjPR9Ur94aqQYKhWET0aHLrQ/NMTXDbLxvrMz/hVlxQ5kXkuoSvqnArB1CEZ/XeEMFxq/k+/9pX9rJlpfAvlmwqasv8ZVcoshw6WLs856pAK9lKofTCj0A5ZeWNJOQ8NodpX/anoyMDgizDRCXklVaMrh2MVrOAzkaVwWaBch87UUB0Kgw6SVG6NczndoqLPhQm9RvtG9s2M9UNsAjW0j7P2cZX6uEq/2rcdjIXU5p9hjY8EOcW3NaMqndXWIJVCc0g+rfdOGtP0GvtPZjxlGq3PcGFQZxWoVjvXtfJIjfddbV9yUjJkDtxFN0xAZdL2uBqzkqFMEzKIHYp98KypmLYSw2BrjlpFlE7eZ9rVsAgdSkfvRz0y2rL/fG//+X/tP2v2n/9l//l/7D//n/2HjMgGsFXFJpse4lFvBBdlo7+MEt99XDPcMnWiQ8cXZoUe1PConJd3MMO05BnbYsL3LMdhtsIwW2mpFBNmy1G4nypGDesDlZKZmed/afxCC94vqJn1C6roXP8ak/CfT2CzuU25hCS2TGeoMFf3aEtrlcfa7qGowaaZoaSjhsyhQ61mQjPvhnOutffh6HkfmbteeCXvRatj7UhMufiQULAH7LoXSs6ZmbES/mIig3Lio3hkZlJkvhrnAmgQ03XLwZQ22C0Svs+wF/6M3jBPMaKZiUe9ZaGFEIrd92vgIePp+7VQQ8e/C08kZISlMty3I+cVikeFGcN1EA5MNRl1yNVR8l78wBYSHE4NRo6H7DgyUmu/KU4tkiwjcLxiYYJRgA3nnlEdbYN42JgxD98LQr4nr3yJAs8Ho/4If3ktQXdBD4ewKmkkzdea53O8xg/RXGH/PxVnH2HVE1/CPYyfgPEEH4PDx3UpoiABYV9yMY2J5U6i5L14RQVUSVea0Nza8gsf7shc4XYvjLGzJ114nyJyU23LdOkBQt76e243xphpQwpLbJ4yLEnuyJkQC048JEIGdeK8By6ucA4XLCP39ihx7SyRVZz7HLokQ9eleFx70kAznvDu3cxbP0PqvBqP6dh2FJYmZlrQZir5fQ+3xkN+IuNW3ceXZdslY8GW4dj1I0HkDVOWhCB7FwWrCSLHL3H7ADyd8gWyLsviMJq1XE71GjDfGmr+ei0hPzPCPhQsxe5d9uCnWUbWjLL7Ya3mhVvTC2FmzK7rWtXXjCoyKU2pOuKP7ITL+W2jflw1hb3x9T0Ke/RopXCiU7upIDJvS9U78AXosX3ZFpZKTuquWbgiqjqpYWGdWnO3nquxbDUU76uASGPXogs50i5o1FOddja48wvbgVvUMu5jzeLwHHbN4ip3813t0KIJQE3NoBIrapea5VzUGsFizy836tg3UgMfv6hjrO+a0JOhTky/XeJ+f2dRfSrk1TC2vx50d/T1+vUAb9ySHkpfwQEpup/zVAhYYhOIQOmvqitcrdndUq3hwrbHAZ6qNVwYFlrE4U781hruW2u4f6/WcPF29DXzQTJ+ef3hYlC/NYl7erp/axL3rUnctyZx35rEfWsS961J3Lcmcd+axH2VTeJiJfHL6BQXQfStXdwX0C6OF+Awj/jkIz3SWK05WqH4jRW8J69+2exqj1ZVTv6iOsRBS7Io8NNhCuGgFW2MtItlKXHCIDXv6TFcRc+3Bxixn6/xW23fky+o+1vN3fmtBdy3FnDfWsB9awH3rQXctxZw31rAfWsB91XftHxrAfetBdy3FnDfWsB9awH3rQXcA1rAZTmeuz7O6+VL+PP+hIxlCtmAyz3nY0UVZ5pkC0Hn6ETxBJU0Q0+a9HUD4GbD/QzhnLJgyvWkAhmpMY7cSoc1PaPQz702zxoqhVVtFzBovCEw9mkJzgJgBsfTLsY02FI+JePQQ/M9OUEE+jkX126+BdkYJVmejzZJKudzSKkAB5EU5GcuMnmrq/cvENw3WBBiY5Ro2fXeO8E/9EGZbeHegqUGxiLn464B5zR9c/EEGcm1KkjJt3JCn6+cUIP0X1F1oQbk34oNra7YUJPU32oPffG1h5pL9ucpRdTA7FtloqerTNQk7Z+tUFETv291i1ZUt6hB6G9ljO6gk9U+k3m2tyLp9epkD6d4EDx6RocrAujip6Ph4yCqVNoVwLS9t/84qPbctfdKoNobbj8GKp0xtozEfhRUFyenp+cPg2pFKkfNv+ts1eYBjEdKni/InBa6q3ICGGdQf1hftzfzNVOC5TvbiXdkLIFuQc2qHJkvyjxHiO0kLdwbwB8fvnd+gvcXYOPvbL9/FEIsgdxEw9JQiXgFdWbO35F4Gt+Q2/u0LdotFD/s7z4AC3twUrFYEQKYhANxpzBNi816Pr83I9TAUzxnfajp9qT6ccGSCLBVY9sIf34Esuc0jhH/OHJ2+KsbpvRnwM5N80jM9pOd5Pn+YJAMn+0O9x6AIp8Xq7wPOcJbkFBIrJDKuBY856e408iRIA4K0u9DoAg8RiK4iP3FXaF7O2fCxZSpQnHhqo1DztoNE4RODFNEMaSYy9/07XmsvtgHPCs9TVGhg/mvscSCTKEyR9ZzKX63GGUBmbxYW8UoWlX/sNBjanRdx1MCH6amViFkwhVjCxAUWC/GzBSjpq+YKxCyPRjubg2GW0ZhBZb+nObWaOsjcfrOmQgVQjoCMdP9g8FOusueb28P7YcspXvP93cozXb2s2zyAAbxGVFXsBlWeHUXdsKnSLOL86Oz15fJ6T9OH4Cis4NXjZeb5lPwWwvi+v2Ho1PvnIfPb4KbHY/gtfsJEO5NBBp0/t7k9QX8ec+9yQu8MXEJH3bCk9cX5LeSwQaE+kJC3zJVbQT7O9z/hPRnxmEvhiBncNuKac7CWAtSKC7hhmTKDODlhnWDbowyoaGo1CE8P9okeH4v/CTx6BBO4BPx8R7U3fiYkJyM04bcfo2xL7QWV+ZgQJv2lqETBdcuZHHAOG0o8dXR5lNketcosXSFw1YxCAp3d1EBASrcGxjyQ9OZm4torOdGFDOlEtE1tb9NaHa6uJwxAjEL12zh6FUlWfuFQfpr5mat55CPF+T0+KJyR79lqVSZGwtkNEjW2HM7r9DBH/3kgtzat06PL9zwzdwju8aW97AMBgQeQ0g9w6KhtYIP9jnP4+TIkDkXfF7Oe+7LMK5HCkpgRfyGNXRGFjgoQdBCg+sq4qVnDYowJIQSpnCgcvDMWYyoJoXUmo8xiiSDghtWL4zKm/hyczJi4xagVJO01Eb6cnDNLHaHc5rTlZUZwF4vFFMvwoL4Sn1V7TXf3waOedX23p297gTdjrYqXcdX+ItFI8ae+kD2+uZgFPac9Bl0+GrBRKZ9RA1UaAFp5UkSD+hxbx3/w0Hi/+ukwiozFpuJ30bGzYkaoJOCKYjdjWhzBm4wcEPKCTl+ffTqlECNIlcvTuY3ViuLhNP6usYaP6NIxJio6IQUDKUGhOLoQloSh+uYaBDYlwk5C7JKSOOjJptj+kzx0W8l06HCwcgeOyyq6BEtC4QQ3xE17pfGmGXiB+8tmMwh2NswdQP3WlZ0A8JAgc5V8O5ems5iyc4mIJhq1TG4TqnKWJaQX5iSvhrQHNylMxf3gTK0IuC4ohpO0VGXoJtRV9gI73JWNcF7pIwB3qzBPWM0Y+pqktPp6i4tfcDNNnFZ9VZM4swEZq71mypYamplmw7J0VGPXB73yNuTHnl71CNHJz1yfNIjJ286nMy/rr09WeuRtbdHPhbnrsrXT7o0FidMM4qvw6h2oQ1O6yiUnCo6R9YLtzqVYQepBkxhDZp4IKhbWfCqfAqKBd1hWW8Ph/U2xbLoSHp9cuRd2IwUeIGFChR2BXBXQNdcQK4P6q01VZaQOdOaTlkSB5BwDaFCjnZOgBl/LYjDoGoMlIGIpnjMO2n0t3enb/+rRqMgEz+brqCcdojnBJojH1ULaqJ7lSciHIUN0OITLziLXalMn9IipOiDi8OqgnF92w3MbdnZhronFgIy3N7fjFNFpK69UQnxOLeUasJ0Sgu7p6hmZDjwOaGabLw/OTnZrBTwH2h6TXRO9cwZer+VEqrRhJHdUAm5pGPdIylVitMpc1aDKz+b86ha0oSxLB4Bqskql8f43vTIe4VvvRfAf8zdIz7sdA3r/Ifn7X3L1fuScvUCX3zmpD1ecyo4DO/LtGsJi68ot+z29rab6N8SyVAEfkske1giWcVAn8c8cFbS/ZrF0dFRvaSSN1WvPqXmwVHLQ5fn5OzcKnIMGv+OYs/GqOFi8D+OvKfP8Q6fTHha5uBAKjXrkTFLaamDV/qGKs7MwptGMafOqdHWJIyKeSfk9IOB4sEBvqgqpAfUzJhiWOBX6CQizqjSWaEMODfBmwXhbFDq18zYHKqZREOjXoAvwe+Mag5B9WHEG65LaAzl1BWr4U6k6jRzIqeJtXeqP4dNw8frwZ/DDPBzdVfBef0GAjdr0K1wU6zHuyJ49X2QVNZzFIZKfJbx6sfWQpYqKuIe3QpA8NiU3zBtH4rvE3rwRRxjhlXww7iZ0GGUCcLWvBhYFooKAO/ld3cANSAa80vhi6IWTDn8N2SBXtd8YYfQUoYTxdlquC02E3IkMkKdhyaM2arrazfV3bcT3o9vrTgnDFr8HRy+obdvWrv3OT3+2L3PK2ZoP3ZS+xZ1zgv96a2dOy/aowAexX4ruWLxMJ/EzKfHF+HWHQ62QHfsg2FkQkYs1Yl7aIR5nB6MSiqCqgSyqNQGuybDFXfuykjGDpmfZ0zgWsLCpkrqSIPzld37fec0dRcaFiAIA875dGbyRZWlUXl6Kmzg/Sg/KGcGW6VPlbvhptm/LKi+zko6Y3PaoD+pZW51sNQwGSSDmKPySY2jXr4gP4FT6iOM1ZmH9ZKL8gM5/cDSEk3fl1xcw4cXWGdp4/Tli03ooAhl8z+Z+T5D3NErms6g2HUce+SIbKnVHXd0sN9fPvRovDDsSqpsqULDj8Hhh4VhRLPfSmiBIid3A/6SG5MzcioyTpcPuC/KqxWeX8fn78LxdS/Vz4RhS0etwYnApbiKAtMfE7/utChobMlEpQSFEkkW1HVdMT05s+KCGpcAFjYuN3F7PuVDCjK42LCKm68uOKHX6Et1wSWIilR66YhL9gEiepbAepJTY1h1c1yv0ckxGh2HYxlhOZuHtEcMPV8UbHm40B2e0DFfcfzW3+thW5ajjqJsqx8w/PvMt1IjG0c/nG0+FI1VOlFRRtcvGJv7Ylk4V3i7Cp3W8CiIgHTzPhBMJoxaxPVin6xEmyNmNcGnUtQ1pVwtD6+vDT4MsSVRuNX0AFcH/9Ig6ys65isC9eN7y1McNYg3Fw+l+AqPH8cd951Ay0L52YXaA3eai/R8qnMBh3uCc8GFMS0DmGBRxtajQqd8zFRrrcNJbe3pT4mP0uW4j9psGBK8yIJRMyMjlk8Sj3Hy/Wj5rRxeSmd8mbSTDiFZ63dR18JmvK9/K10G4piOec7NAlLbFR+XMcn0A7uIBritBJbFMgH4DwL9YkaFkIK44UlK87R0EcZBTXs00KsMG7DMd+H4EXaVixR4KIwrvChtgRjXKl4eQl9v/EpOJsv1MXwSYHG2TwBX89+XoexDmoW0gAy12O1kD4d1hWdjC1Q71MMhvOHKlDS/Wr4X0oP0uxaUbr56RbbHAPz41X8EtA9c/ak9cj/XkQmT/dFHJmL8wCPTvfQAFeOxG8VRzRMrMNODYV3xhm7A+bAtDXWGrkJFpBWB6TVMV4WpKvQEaUYQKsV1hMzS8BuWT1aYWeWHJ3oxH0uXgGS30ZIWRXDgKOW6Cnq/bfhi6dpZVES5Fq7YCVxGLCBGLWzed9gNd47bHZ9zwfxFwaCXWs7IhBlsT+mvdaBAXko1urlUHIaLHntuNMsnUR1ggaM/QabFirpbAJExsK8RLI6A122pbAUQ3F3SsQMCF0z4ETC6K9514O1jE+v73dD0+gq6hC6xZW55nqU04PyZa/NdYvWKFJpr+pbUXCPpLLcWOaR6sA+mjuRnClgIy9iLg0uw1gf4+eIUNKz6HRkswQv+L3pDk5yKafK6zPNzCUHlp/7xWIjc+JsoL0TCF/cLEbeBay1IXSoVVMz4YO4ozFQ1yQd+MoqnNWFQdc23jxJoUOQ6U+pWI9FG61ToS1k1J0fhVEV8vJRBNMF9n288HioeUhMyHiBiRkyrMUjoVy4nERJuPD8U9WV+LJdBMURisYeq7L2otasLkMbAlNBOwY3p05gghiduGICt8sIgqRTCKYljZm4ZVJKL+pfSeqdTnIwLbrDXkV2qXGqL25FfiY+TG1rW+CEh/0mU2IQmJ3NGdanAz6NDZ+s2ZaPH4LrD0GsWeDgmc8weFY3nbC4hy5BpO4wfLqso7frK3vAgkQybQ1R2qVhCLhiuuWvZbk+6EaLNMYnL3Sp7LxAUfA0JWWELx4llDlIoSmSoady9ftL1ZtrO0H+6Ro84eogD8RHmruZnpLrHjcIwIzzOehPRW+TMWDYC1qgiDWZUeHqn1LCphPAOP35YdCtIRkCoPs2yUY+M3H7qw35i8JVVkvoYzZGN4r6QUYkjYYHL80VsQLhEdnREso5YolIz1S+o1paYfUw5rS/GlAlzxbOrFVe3m+IOspvL4+HCifBeUSpfrslrHyMALeFZFZSFIQRAmdAv2XWQxabXkarGoUW2v6S5qZecqjclwn49Elq8zawOknomqJdINlUzZddcOYQ1YDRbZcW5ugCKTXLoPj5jRJYmlf6ooyaAJO/q/+DqPAEZ1td1LBy5jmH17XPmly8vvJAKIzqAU6aiZtV23LOTkEg8ZVharRJo8LiVZFzrEjtkV3e69dXxnCo85V1kn6sV5StRNat72QWsjejTt6w+hPR1u6vBooehyBUGwUBDVBc9gj3Kw7BQZeGWWwO8akuGpRcaLeQr2x0qUNeitISM1goKeTJlGcORxV2HRyHKY0bknBvDGt2dO/rWH1YPjCq0+i5iMpA4YnwkEHRIidOpiBy7jLFab1jLJVFkSjXZnGsY6COTZZJpiJsNy9KYt6J1PP+982oupm5aVwNPyPb8sQS2y+uWIHa/jOwsV36Wq7uGrsECJhyytns+3uYV3YJ2h5vj7KQtW/16LWuF+1NiNScfFl50fD6RpYIorGOc03eLxnoJGKzKQ8BGLC4w/M8Fh7s1sAN54MmMM0VVOourTjWPwcoER1GzNuZTMi6h1dYaROpUI3Km6wHqkbTPDVNO4WxMcegO0RFZOH09BLgRKHDvAsbdY9W6pobfcLNwuWihoiyojXAmhcZlbka7KCNfeMWXtqRxa1Fdjj1YTQUjjO8DI928EI4O0sBCWDAVqPF7aPGvQ497HclJaixnwdKESL2Iku1gy9qR9hF/wtOd92fOlk+jtMFQlAKltD3fIGIVai9HlIua+/viB6VmQW/PmK6VFnUWvCaliDr994hiU6qyPF59UMDhaWJNydJ+kIpY9MAHDJGIqOvLG6ZA0YeaQP5I9sY117Wjy9U+QVOzU1bs7u8e1ImPyt5HZMFd4VnrbjfgIPVz3b6zVS87iqSzMm/CVVQUUjGKdZcFijmwxsYLjEsueMFyLtidPI31v1PXN+9/h7KpKDaoib+q2uk6WGv0A2hZCDm7owN6fCoLMrdWkeamxDDSnvO0m1tJwrRuo41ZR7Aqatn+zzROC6+VdvLXqmhgZSyH/HS0TeP4bZfx6+4SGopIzXKEZYFX8WyBNQnl+jPCjZMSDUjmUnAjq0oZ1RBWO5TVitk//U22keSasYKUBeqI8FK8uepUTal23oM6Ha3ijjsupXkvXtmG5tTOZtgeDPf7g73+9s7l4OBwsHe4s5sc7D37pZ7HYM/m1g3p01dMdNM0SjyIGkUwSwkSS7G2lrX0oGyDc2nlcmrJ7Y4bbO1J09o5k8tpz7ngcjnd7MWTxwWS0ZxcuOMFa0NUoi6ulG83RQw2LDrUFZuDzIa6+VZT8zHhMLw1MWtzg7ctlJuYy6zMK9bHHkfYqcFXZM+k6VV6bjxMx2FT0HTGkogWYXlLtUzz9I4rxcabXBSluQrREVRIV1LCu+BKEz9A9Sue57zzGcxVAx4ZdjLOiZu6Fn1OIKsuTFvnJJRTSHW75/FvJjLYQJjPZ6r8uVqFkC5Z5AUNzC4y742xa8pb3ZeYWKYIwl1HSgVq6zRpHiTIb/bg9N97tSoAbs8aSL+TY/DYZXXf8wovo36iekY2CqZmtNB282kD11FVhT4Iy1P01p1kBsKPKaZ4Re73uRTaKIs+eG0hZcFqjk2mH27v7O7tPzt4Puj6dPTD8UkN9VXeoJydWGy8Vyv2ezVgPqC7k73BIKtDJqasXRh8eZ3kMpwJ2ALES1WqFL9hwaJLmTCK5q4yi5GqpWGAbuE7f4AyMKoOnFgXb/ClVxfyRaiYmDhJWZ3EuZat0WvaVDzBnLmi8772Ntr69ry2AEXnuzvLNb3tdDeeCef3srsL/a7WDNO6nFuNQUhicQNrpxc0BXf2+mSvmZJC5nJa6/hjjxp57TNsuT6s0Yr8ryZy1Td+uUdLndl7yXAwXL7k/DVvCqMvzM719RAeZeiifx1z9OxAfT9K83oICr15tSH+OQaldiGhMZndvuyuUqLUNmwhANXbdb2ZVbcF7fxM3mpBeRe37aE5U8YrMrAXahcUDfeVczRN2o7PquEDpofNsNWtxsIwAEGt6GJ0wJEZFRkkhFzO2AKSzG6tqQxNf/w2VcziDPdF1ZeoZgBBlMwrrLmBUWCnz1heYEyNNpYZbmcM3H+hNFQq5+gDItRAQt20zKkKNasq01FZ5apD5bEUrLF+TadamSKLs0TV2qCKEODS1BRdnqkzH8BAQVlVFlgC17EVNFy2JjIMjRZFXk5BE2h7UqpEVwo7QXjtGfXhI1AF4fzd7Pl9gyOPGqUcaqZgdRsMNy72+bv0zBrVvex/EN3r5H1rZTf7YIKPwHKtMFyFTfbOcfmdykHMLiE+BAt+2uf8wBuunJkuco71RLmxFlrs1CmoMnrTcnK8Wbxy3yNA5YlURDFIS7/TTLc2ATzhWoxkMr2qHNBWHFjdJyRkYZE0gqV/WVZtK2tfuGR7AMQozm68tT66wtUfwb1MqRn0GMKek/KGKcUzx6w0Si72+fQe3B4pcmYtUM0YGb1AcQXJNouC6ZEX06NTq1ryFGEkb5lTmztOsgtWkOFzMjg43N4/HA7wLvX49MXh4P/6y3B79/++YGlpFw7/Ilj5eE4FnTKF3w0T9+hw4D5USq4VdboEMYTdzrWRRcEy/wL+r1bpX4eDxP7/Icm0+et2Mky2k21dmL8Ot3e2v4uI0Qj0CEvVdca6C6Uv+pi1huRjT1mH38hX+MiYkC6/MMhwPDsjdzP1CwKBBZX1THlu9bfgWiqY8gWcwkkqDHhM7JmN9ZHxhqelzL2WxhVBc73uXL1gqN1Nww2d18Oz2r5GuYk1IxsqgD21fAuW6JyrTvEGYXr2CHS+S9QOeOUdihCMQD+yh6II8HuVnGK9DTgOC1l6y5VsBNzcPQwWrkRNJQxaFf1B5dThCF6PqjFkFR0buswEPwRqFnb0SNjpUM0BjygrR2iexwu81LLexKnpbmHjchAvSgX8VJFFuCK87owDJyIU+bV6vtYydeEmuA53KF+mJoWrnhx28IoEk0bMkOUMPyvEAIdLiEOrW4168RFDxSIob3DicKhDGq6ao9u762p1NBO641B1ZK2JGFdQelUZ3OsXofZF1z5DdzrsKlRUfH2ei4V2Pri29/2lnEbe5jmqjTUVoyq44U3UkIzsjOY4JC10KLunrqPbLHAkXyz03OqpM2OKbBM86tjprBy7UAV/D93oRRpG3MB2Jb2qH0bfodj3x1X/qLRGpJhu3tW9pbaMilG9uozNtzA6uZ0t4tIVPsysLaTajueOYBw7GtDN6kE8BaXciVZLUcfgIcqnFq8Txv0ZVDAfRgBvj+oyxQ0Z5Ie7mnKvIN1GFWjV0T9bVL3ELPIh6KvRR53csjGBrpOuIpZowBMNaXdvxgR3x47V9awQDMZMOBsa4AUxWltnBBKZcjTOJQRjaG7YqINpLqGAl2tDR0oRLvnrav9H7X7F6i7MFTCbm4C8e/uS5Fxc+9Jg9/fP9HzZ5Do/CrYrhlA3nsahcyGeFgXFUWQx94LSUytBHzkJDsE8tAe1Yni6zqWA20w4csONKNCzvSq+SwcKiLhW3hbMsfWXwQB8jUsvD9fXVzrSEe/SGie5pJ1R02+5viYwAtiHikvFsTpXUxBqJ6uIljkkUuqofOc7zdztGaAG91furg91AbtzkztgvxJSLdMd+U4k1l+DL47/zjIY9iMI9TAOU6cUroADEgPLM8PBoMN/OafcNYx2jfIXsoR1r98ouRMBJQnUE9YRQLp+gWiHuHX+SGsgUedSBDSQaq6GD2hJ2OC6cUfgy6UsQb0HpXetX/g6LJiweteRDtHqjUehkhHC72/eMDuqFQfQg2tQel2vfs4+0NQQqDTjatg7nSgKCIjDATxs1R1muAlqUeuGRWb9A26t7qEUlODFAOMwQX3/1A7M+y5sfw5VzoOxEEaMq6FHtfbwKX+v5OMrYqPcSyeduEvGsvAHdxRqGlYCApbdrNz5FFIpNNcm1rsdZ8auRhMaf3e1JHA6XsBnzCyZoV/TKJfTRMPvif89SWXGRokXvv7r6niNvflVhhDmSLspWopK7VYYpdqEK3ZL88jdeHZysRmiUWtvBPXbsTXhRhN5K8KMWMzNnu9VlbYwbioLDPC9G90oTCkg3D5FntV52lC1TCLy/feEeAn50ZtCF+Ic3xVGHIF3hlVcyh2XhXaf/i7FCgsJ3m+k1lCyG6ISHHaFA0LoaHMJGA7mui6SK0Yzr5O5w9ozenXhEx2TuAE9c1TxrLFFn6aswGI0YVJfGxMq7FO7/aUA0+/sxE2+dloqWbCto7k2TGV0vhaV66bjsWI3aOP6xy8u1zbR5CQ//XQ4n1fChNPcP9Uf7B0OBmubDTHazjT6wrxUZsbVI2MeITyw7oBqhPKt6XLcx+DHNTjpe8hSGEgYnR2kUuRbAZVRTK7uESbseusoQtLJ1QwCDGTk+EKkoG5uoeySgtLpnDq+JGkzCv0zxi46vxIUTqlzTamW6T7yKMZpmg4CxobGaF4jkyDcuIDI9humDZ967OoeniWsCoEh525ovBfgop+xwsxao+OR5C79KmcP3meLOMHP1TsVYHiSIqcpu9M+ucMuqbb8J9kn80WHhQJTbO1tPxtmLBv3J3vjQX93e3jQP3g2GfR3abp78GxAdw4m7H7rxfPDhNJamdAXlH6sTqjVI0rNlE/qC5ER3Yl8k1KgNU+1yzSL0q3AXVrvRN/wOHxabm+eLXsy39Mu3HcL9ykZsPpw4wczuNgh8Kt4ZB9QXo+lZTuG60mTRsMcUXYKMr6pVic81AproZPn2R6lu326f7DX3033Jn26vT3u7+7uTg4G45003T5YFl2j+HS6lOfz7koTJ7WMuhqLueGXT+F3zzun0NVKG95UxHfTBl9Uz99h9rxpzEx6d0jUQ7FbYU7y2mWETmiv3Oap96KrT9F78T7IyveEfA+i772wn4pyrMsxfobwSFD+8W+rkSn8CGfAWpcEXVL8cRdU4MWf//uerOYjbJvdSIGFxjuteBTILtZkbM3CenC6y9K1v0Ksvs9LhZJ8KPf98fcC+oq7YifO6owuTEC/gStYf0D5xF//NxXZllQVsqQWZdtznWTC7dx4gVOe+Qt48qqKcvj1xdmrf/pOp7pK8XWCXW8m+LI7HNxdRyMNFpzE0CWAZUjNBj7hfKii0NyFzpOkymJM+CfYa+svqYtWc8FrOSZG+aE77zX9BVi1xBrDyKEFMBwgeAfXEYZKDZZOW1mZlKrrGK5HmC+2isKXrjwfaK03VC0szxQ5NZb3E/ITUxguD92N2IcZLTVcHuauFgvKgLoSa5Wl4CDncR6oq918w3pwkwq9AbIeybhiqZFqYVX3VC0KEwdWoOxhPTLjWcZED9Iy8F8p8kXPKY49cqu46bi4W/91zT+71iNr+LTvE7BMXprM2JXmU4HJ5Bmf2gOG5lalN7NlHK2P70qEnaNJmKwKjOdTNMTcBcTdDUjieLaAhfZX814Aul5twe4AczsM6RvHgjfKPqkg3MX1MKn8ZkibCtyOW9QZ3d7bfyTpMRXqI6byEupfFLDK4e7RzwDZq2iptg7tdSuJHss09hMX09WpJeuNpnnL8kmUaxEyxkCmR8Vb51SUE5qGegG0uvS9YSKTKql5JoNhHNsCR4Xlqu/fXEBniK7OMfPEzsmSD0WawIXgY0m92kT9+6/RaincBEHpJvmkxBY7uZxO7RYHsSenihYznvqKS8HhEY8Kmb6NYDqjSm38fOQlozeMlKJy0nHfLAZfrV7xRkQ1fuVtoZqUwqWpt1cMuplcvXt9+fbdxeXpydXbN28uH7tkJZZObhesfBJH2AUOXwtbgIxLFGVNxEJYATmWqpC19JqHYmYYna9409spnnLnw3hSua3tgjP8fnfaYlJt9DDoAzf86d9++scvB68Ojv7+WNJ6h/AnKH8ndj9B8mEtHzQwBx4KdiOEwBbMMYLTsn1EbA+2h/2B/e9yuH04HBzuDJbPCWjiZ/fnUqrtPSfe+oWRPpYjlhEd+x77OEdc8vd6TZC75IXr/+z7Ess5HhwQ2QJpnVEycO0WAVoE1a4SrJohZa6r0JEbli+wUgYqICjg2irep5zNIBQ/kczdmgVePU65gTqekY7hSyP44h+R/szIGGulu0SGaEE6xTqtrcVHZPYD6dSVg/0w4woMSN90A62hZe0pSH1CZqu9X7em0ijP6KnMv8picsYqVsbA6kDdBiH+Fnr2wzBuAdG0Kgu4/xvN7VQjd1XA7V5hmowAiyjUyWVlY8K9ZRNT6d/20R7RXKRhOH8L4eH2uxRqSzbyiOMaWU/e+AEGD77gejBhAKhlEmS0DqK3BlcFpR8/TkFwZlAuQXTFbeXjmnGZ4jdR8Da09HbXVdEVUgvDrZmcsy2ae8oHTO1wVzjMpyLbydwnCmx1bD1+D7b1Cy0QzP4sr7RM4SNJO9Oeojz3omAqpZrhAVC79oXDNQ+BJHGD9mWlEssnyZ+jA5TF5GvvAmVx+Co7QQHg/87doPJJ8qV2hLKw/Um6QkWofPGdoSJYv/TuUBGoX0OHqAjcr6lLVAz2V9opKkLhC+8WFUH6pXeMsqB+qV2j4j5KSwD379w5qvbiV9Y9qgb719RBqgb4F9xFqgbnF9tJqgbl19FNqhvkL7ejVA3eL7arVA3Kr6WzVCfQX253qbjf0mc6Wr/WDlO1F7+CLlM1eL/gTlMA51febcri8IV3nIqjmg0Tq7RU4YYozNIj7EOal5m/dMwZhc+ZvKfASHBpwwX/jOoofcIPrMmGD743VCXT3zd74OcOY8JsUJFRxM7skEG/sTb9fa0H3uw1HGGtI0+8cPI3RKVKdd0R1vCE8SgwhSv07yNT4LqqGVcaB6QGlg3ovxFoW/egyJe7tfFDh5ACuJJrTtQaPQzqZiEuzpbmt3ShYYGosUvrqA3T+JBjGNLagsAN0NSm2YgFTrxrDVfOEBJWx+P15YuLnq9DTaiguZzK0qWakKMcMlkMQ0fUhVGMzsnG0cnFZi/UIXbbIozqajHCo9AbJlyh/KuEMix5zjLyf54cXR4l5BcpWHJWBWRg5bG5dAnPtVx4X5vDSBc6GsrXZfJW5JJmcb1ncIoIZqDm9tHJBVyy+VoeFdXdXZtU80MyOj58X1Aze2/kewszaNdhVxxqOWdXgUlHSIFR49swsrvTq6rR+I1SVV6o3kqwbUt9wlGzwF30phVLMRStl5oPVw9APErFHWWeE4u06xyT2M+jHl6rxldRwHjdpXrjRYysw49Iy+nKQn3OFZ9TtcA4achT/PHsZPPee9X14WAwrN/+VlHWq4YwjrXqhK59G2oPqWSe7a0IvlcnezhFe1I9o8MVzXrx09HwnmmrWNgVTLy9t3/P1HvDZfw9j5x6b7h959Q6Y2xVTHhxcXJ6eh5NvcSm5WJ1jR7O7NhV+qtXa/D0qDQXnybS3MHbe/s7Bzv1PTznc7bK69ZXZ69O0ZPtAyDi6EC0NeOdTaTyR6Oc1LwRhJTQQManQd7e3iacCppINd3Cch5gcGzNWcZpH/y88efkw8zM81/Pjl4fRYfbhKec5ugV/mfPRTX4K9eE/Gw1wo669FYVwGuGcc56tfRmbJUQ6shGqId+R0uy0nx1nPTKMlJMdi6ITA3NK+6inUl/64P93UGDhT4xaKojZioEO1EoSwrRbfXNv0It+HXjsHGHfOjTWlkXvnYwRua5OKAWybyl0NTm5a1YWZwGpobZCdZB4VaxH/SeU9PqNk8H0mduzvrCa2px4FyvsXzBtOuIyqqZb1kU7fSwqKytu1a8YJ8j1uj4/F09zshQNWWmSsPsjDVaPtCogIzzgopVhdShYQLV22GalvrX8+mDEMvowlr6GA/awOuTwu8LlkSArRrb6NtHIntOq7iFZZCzw684diBgd1O/J34gZvvJTvJ8fzBIhs92h3sPQJHPixV6xtaP0BnmkHK32FDfnJyf4k6z1rWDgvT70BEPHovbchD7S6O4e9RDA4O4OcMyFIRODCSJI8VcKQvlWi2mMmNYIb+SZooKHbKLNBZX9T0bfP+FW9f2gIqpr5umaHDNAPSYnVkPIVdOPaKmpphNuGJsgaUpxrmcbmGt575VLaxs2toeDHe3BsMt8FNwMe270LM+EqfvchUTq7O17elBun8w2El32fPt7aH9kKV07/n+DqXZzn6WTR7AID6i5Qo2wwrVirATPkWaXZwfnb2+TE7/cfoAFF2azarxctN8Cn5rQVy//3B06v1Z8PlNKOB6gSm3yxLg4TdgHS5lO4jd1mCQ1ByEUXAzKgnoJMJKRVyTNfvnWpuFh/s7B7s1QPGYvvqqVbBLVDVACYPSR4s5VOb5bM3wYbXA6NpA3su4goIKDpLNFs+F6gehFNJKq31AhZyzE7LxDjxuqqrcGWXdbVw03HGoyy/jlPuwN3ieUOeW5jco0lZ+q+VyIqN5XcjVxsXR680EbSowskNZgK4kUVqaGVYEpSKrpSLBko5LUzm/3WUvOTv3N+VM98jJ6wsSY0zIBnQi4XmWUpVp55Znc8rz6r02Yb9PGLY9SFK59D0t0B56OKsE4VzlgeKJ7+pIgdjdOH4NfGOBgDzgiISBuC1sXft08PKRn/h0Ro60LhUVKSMXTN0wRY6PHkeEUpiVpd5UBIBZyMbxJnYsbeL37uIxwEelDli2yoU8iSdy63jymHU8/uu7ix5581e/nmci7ZE37/5qNbKoWFiPHL/+6z1rHrbOJ619LlOat8q5Pvni+2m8vHm52VKaLHtYSfF3zm4fg4lUUypcvb0VYxNPpcnGm0/YzGci/VRkaX5VCr4qxbELZ5oTO6NF/d0jcG8w+mPw14ZCDtUVKK2rq60ejk47HxbDxvnCwXnZIxegupy3WPqY5nwileD0QSgKaa7AeFwCp7u8tZd8DtYeWo3N7G3ogAS6NJiiQvOMKSzuxdsZ7tuD7UF/8Kw/3CeDncPh3uHO8/8YDA4HgwdjhS2eVokW1sxdAqXh8/7gAFAaHu4ODrf3HoESlDBOr67ZYuWVgY5axYB8cQIs9wCQ2JFbqL69eNi5ECGVlupmVRvrEqsY3rAotIoRluf2gdT9VKEVlReCxNVw+HEdFUry9zktIgiuTbG3PXwsJdiHQgr20GyjRr4gDhEWMGPgum4sX6jTsQRW+3t7O8881ZftlPUI7D/RNof69tYyd5ZStKq6oCla7Ny01fvtwe7SpSkBZs0Up/lVLbr/qRnXtZXFqapy/bqsuLj7FIQmKKEKfLqImjNO4gbIsPbFjLp6+D3C4yBXdBD6AC8JplZutRBrL4Us7DB0OqOQpara1N3be/HDD8+Pn52c/vBi8Pxg8PxkuH18fPQwaREqXKxcAkbBVRNLyLjkUiizEUmJn1nVCRzvpANR8OieQE8vLsiPkrykYkqOoRqTC/pcJOSCseAtnXIzK8fgKJ3KnIrp1lRujXM53prKYTLc3dIq3cJyTluWMPBPMpV/ebmz86z/cmdvp0V/DNboP1Q+OyP+j7FcdTBdPRhNrDByNpnmckzzoOUJtvSFRwPJP8Iy/UTD1AP/JVimrepkzgWEff3uME0vLv9aqa498vKvF1SQF9bo5DqVkenas+ZLAobq0677F2OV1jB/FCp/tFl610atLeEnY/YF2KANRB+Gy5/ZnnR3uqtVi6IEYzup01NaXLdzP+QhZpXhZnN1nX90f95T1vlHJn3R4hS6+yi1cDHxUKaRVsFeUAHHwqoYVtSCIHEPaa11ASjjUybDK3H9R99BiGErf4zYZukMFMSqMaOF7Ozca3tSudtj1ddlUeQ8lOz6pFL53CxWVUnx2AvI9j2nFEYxWu+riC0imDBXaSsw7kngubyVfVfdKG0FWobZ13U3zK+X1rYqRFZE2Ne10pRusjbAUpkZOQJbgDYABLXlimu5KlofO83o7OINELutMBx1grQqVnTgdK7sMRW0UVXMb9uPgDJl8iouJlKX2FJMuSkzrBmZUwN/tK+i/pus5VKsHZL+s51kf7h7sDPokbWcmrVDsruX7A32ng8PyP/UrwFXmSX0zsoYn/bYiFqigTQ9X2cOm+LICZkqKsqc1lq3mxlbWJnKUJpGV+vH3jBt9IjlCqVvCp3RdA/vSHMplbOZe8HsbXcSRfDyKnkZ1dUeyDk8KeuZYVVGDLpXuLCGt5yDeI/kd/uCfyy1kaKfpbV1KaQ2NF/Vrlo/h+FRfDVTtmAtPLi1wpzQd6HRtChqqBxaoo4ZuRby1rVssajARFKRX87OYwMHWyhWVeBvecbyBR5k3iaCpj/wsU2757uD3aU9popNrRKyQmH1Fma4T1b1/3bcBdOKpJWDp1NY/a1kY1bnue6Wbk9zZLrOjuR31xYsZrJe0FTOjl4fRc91Au4Ooq0jNYUjl279UDIh9dURV+wjLXHbGUlevwtf3N+3CNOMnJpnpVFH90J4RldNCRo1DZ+2RVEm55SvLE02VhBC4Dr8hYSAJqFz5nqLxt3ba+2WBXl5cnRu9/8RNoGvimEi/HE6XEiQWVV0jfOf8ro7r0JKYoYMZsdsha4Un+vYjGkOACXf1XOZYr79yf99j2HiWzp4tq04NWo9ys0t1+654MOMW5DiidoI7YQmfsGbqbyjzo7CXHcY8upkrwcJaZsES/IwpxIk5CjLPFCT0AgGw1PdEOMFyeUtuJR9YH4dRDzxqfewYh0FbBysWUEVlCd0I9P66bWhBb3Gnmo9gs2RZ3Tnam+4vRkQrHK+q3NOMxPSk9tIw8NRWeoSOvPcBLOXEgWhs1bPYQL6zWKwIDkFFaMfrEQ3oJeN/6I7LigYKRCkMvSYy6rELgQRsnvDLeXCmZpkw+ToqS9YjyhmJ8N615tPYAR+7jTKz59B+cckT/4xeZNfSMpkEH3SVSz3os//fW+rLehr1Wy1hTfXudufVmxwoQ0VUbvj0+MLeDf53kuozi60Vl9ut6aCSaWotp/XYaAV1YwWBRMsAx8bqLpVMMGcUV0qrEV3SzU0kRQJ4OrCIuspSDOqsluqWC/U1pljBWHdIycyvcboCkO5ABPIbvz/LMeQzg9dkLNQmPFT9v3dyUpPojxWId2ujkQ8X1c15Kv9esR0WpRJqel0mSMb+slnV3d3qT9nypqUkD4FZwCuHkS0hMbv7h62artun4bu8TXLhxs8DVzvbWxdH6lRFynNLd4TarUlS6FaX/tIyzqEPygxtxLmAR7sxbe6Ff9Cp50bpujUKxqVme1e173QjXwAkA6D8aURpqsYpmVNsIzr60QxmiVxxu5jr/SNNNUFuM8CJhtTWk7ZJnTqsodnyrSelNYw36DTqWLTqLsAQbrTPAfQ9KarcB/KsmDPOJLKPH9gxT1AFXuDrR5XO49h4o9E9/PZIWgxyEkkNr2U98bIXZZIVU0ed0Yabwk7yPq6vstGCSNKRV4z88PZm4ua9QIzYaXY9tgV0NFMYUSwjlzyi+ooUv/m9eWbizfLLsWUyeQLcscDOH8Wl3wdmS/ULY9AfnGu+RisL8Q9b0H64l30Fshvbvov001v1+abq/7JXfWWrF+iuz6C68tw2VuA/vxu+7oTYEWUX//JjR1radGmOjPOwKtyCjW5nTmpOPKQjcAfaPeKYqZUQnt/Muiozjr/iKv7afBxfm7UjeMGYkc60BHNVuOLJJbwSs/KRt9nPVxjzBkVXEwnZW6l5kKWijBxw5WEckrR8Kd+yV2EvcKYc2dtjsaMGqy416RC8REq8KILT/CN8KKZpBl8kjRdFbOQV0fH8bSBAhZxIY2r2Y61q0BQvn1xTJ4Ndreh93E5nUKt4kNyStMZkalhhmy4NmY9ctAf8yqx2tp7m9jt0mm2zstwK8mvIer6n2TGPtCMpXxOc2wCqMmU33jfOaxpZcggn+PEFJq5lcK1ZObCsClTCblAk5LfuAfx2sv51l1n3jDibFHMWMfhuf7r2mDQHwz6e6fw705/e2etR1pf7voG2XffszzN8r2+d59D/JZLG4YdHu3uaFe/E/yDc0l5vQUM799KmkMpqjBmZCeC14+iBuRc/ZW/qNSW5JCuYJU7RexSZtCvyZq69eUz0j7f2ESudX/CplAT/ClcD3c5HeAKSZbg6aR57qcG1oEmKq1O3iCKnszl0EC1oOk1W6pE+HLIuvG+OHS5WN3SKpYyCCX0SH8huK56bQPefxC+UicTOuf5qsLN31wQHJ9seJ1NsWxGTY9kbMyp6JGJYmyssx65RQdZuwAGPtmCu8zzp4P6M5chad0soISuV4ILFamcb6nb9UVTS+VX8l/0prW210wJ9oRUuh8HnC2ADYadoreuUUML8t1kNxn0h8PtvruPbkL/tL6HL2OF44qMjlB3Lek/mvTwESGfaz39fG7vpkwYqXukHJfClPftV6pueWu/rrCmzvo7jdJw5OYZOW8D9Kc2bCoV/x2fkE0kuTCyUkwrY3OsJM3ApGIKKrCCHOON4kr+cc3IROa5vLUjOwOmXlSVbPh4ErZ5SHIsPj+nKVBU8A9VTuRtq+3sGYL05sJaP+vr0NMD7+fAGeNMKReHkXO8f2P19uP2iXGlw4Wr5ISc54xqKCRJSg1OGXvWyIL5PiWQ4olTnR5f9CxVCyULqRnhJvKJucL1bS0c0HzAkbTain8tPl9WYA0HyXA3GdagbXP109gJl663XsNGeCEVOc5lmYVbG3+hhBkZcJXvWvlCRaKcXzMyMtvJnGW8nI8Sy0w384rb2ldG4d6+h61pwh2Wr+AXZ4JUxnkYsctIr9sKZbFkRd67lKoLlkqR6UohmlFNxowJglFr9WXb2d6LwzmMqUVg/nR5eQ5/3x3O8cLHr4WkGfsSduyH/OYgf0qVe9mjmQlNJDxS1tJSuRcxiv1WMv0EsZh+oLHMFo9Rzz/aW+siri7XAJ/ArE2iHxw8uxtEVz15CSB9Waw/5gy/dJY1Lve9+P7E8lySW6lcs4cW3itYlUu4mtf3rc2GBRYc6NjzsuO0Hu7udC/VyuJg14+cv68ZCgtdsGq0Bse+ciGEuZxqHx0S1jLNOTQQsThqKAcF5U2hpCj1baHC03ZFeVaFSaKkw+sYIqToa0NFRlWGYCDRKn/z6B/9twhZ/+ykahQilf3l2AHKpbC/dlRU3N5hu3v7z/rs4Pm4P9zOdvp0d2+/v7u9vz/cHT7bfUBAi1+kOTMzubKFqq0FTnVfN3zFwHPFjT2PICo29HIJfXkx/LweHTH68fRyVB1JoykzvivKj+xyBI4/ax03i9t4Tat+x9Qm/Pmbi8tu6q24ucD6K+7KCga10u7HpvyPKBqipuYlhPLli3rg35hq9Bb4kzpqGBcLqIqaVvFzz4+O8YX+JejIrg0uOZbzgipvdc5jkGkY1Kp/kdIQZltf1yQe1o3qFZIZywvnuc+YYanrCaEYNZqE0GtC5lynUkz4FLpPuU3dXkk+p1O2NeVLF9D1NFZswpRaWQ7wWzd8xYrx1mnJXF9bY5zLaVwPbKsBuy6k0Oyzn+s47bIHewzk13qy34fx3Ue7x/xzn+0O2scd7g7oP1r0OTCeTvZFS/iEws+N2iH98JfHiL+arAujOuXlSWSeI6421JS6I4rh01us1vcNTtQdzLA7qMdEr9a4B7jucqwNwXivGiE5H3tsDZ7Vvrw/Jy8MEOfl+RpniqVSWcUSLhKwpi9+rM9LauY0FOhWzDWHHy+wTSyyhktrmnDFbmme94iSJbT+yCW1myOnImVqM4xabZMPYZuEsWZUZOBBouHOIZVCuOsDQs7c61TbreDGpMQqdXk0TEUCBM6PpZnQUsGtBtEFFdDicBP3dAyHv2jpIEVH2sOnW8o053RVtaYD6+AseNdRrWSV2tfrCAbzq1p5USzLzn2bI9RxgcQcdOAekaVxHxTJ5r9b6wgi0aolEXTe5cZyLy4rTVZmBlb0OjtpEqvG9hW1Ll6/Om/tH0LOTjpOvqVNqRWGOJ7Fa8Hu5oh2SyYz+wj8VaGHaSy/Xro/78lNOmmlDYFNZk+yXE6ncEKxdEYF13PLXP5LMKkt9FGNGDDKq1QlKwCr1fpoulJrOjeul6GpNRMgtHXLqtV+/iiNuW5H6oXO5TRMNGbRkQb5mWRkwcXHku9HNUT8W1VnNOn8mJA85XrE1jG06oVFgmXx+N8HW3ZcGqKoc5qSEcL8/QjSKYXzpp4eXzjyPUFCVOj/uSqtrtXCyhIcGgCA1YO0Si2zW9O/caMZNux9Pa6W6m1Vbf1JxQ3klmqxvm4wAwczTgJ8PZJJWK/QVfU+j8HWDVVbuZxuTUoBnUB04jfaEhIl7m7zpLcCb7wXxWIV4qH9MtQLOAXaOM6VMaXc7YF2BHJDKTC1oFE+u2EKAppNo+QsnN7C5SZPJSQGItvDIHjBAPvGzZtJhquCG2th364U9IUswRtXlCbebWGvW6nkgSHQ+xAVjQvc6v6nzTh3Tc6ZX0kUSaNbqsSoR0ZMKfs/HP6pdA2ad3jrmFLOPxGJ2mnTg/Bk0a5xAChO5E56exa6Vo6om/kyuaUuQQjFGyseJc2p9gFcXHDDXYpgNQPoDs5SoSQttZHz7igDqaa+3wT2R0rGUhptFC2SH/ynGrHQ4QcdvJKcN4OEHxxCY4eI4mhqjRgpF95+czwH4RKIuXM8xrlojf3SQHV3+048VpkM0eSBp8IufN9VUcBfHYdiIq7/e02yY1wguOFTg+9Vk3W/YscFmVD1o25vsMA3yb/oDe0keinSFRaPbJHcTWd3BTq7W1T+CO9wXwgypLKDmFoCfuwdfxeUTtrNmaGQsxLLcpemEp2BKD3n3MRsccOpGybc+GvGyNsXx5rs7W7vWqR3hvu7SQf8yYSmPOdmkazClbAeYegqPxM/Yet4A2zpDeU5HeexInCUWnsbdoqMsLJ2t0XrjoxkKnzAcZV2HIa0727vtBl3e+deGq1QSkSUsid1Hz1iSxOrgQekMD3rwqVQXKrlitA+bKkby+znaTP0I5eYVUNyTQ7I9xVx/iMoC0kYEY7SUMjcvq+gTwNhHwqWurt+H5BNHfc08tOfDztu+nb2usgaAHj4NvrojglK0tI7pqY6u6MFCtRDY8NIYMTaYlW5pzlxJWmASk1n1dnJxWYvVgytZtcC3u3MqbSEd/aS/3GU3Au61TPhMPN6pgVWGy5SE6mzVt+0Go8sUPHLK7hTWaBN3tAtO0FpLXmnTAgLvmrN4Y9mhjBhPVNgKSYA/+QdHBDZFX/g4kdQtNb91JkJjQjy2CfzOvrqI+WyQvx3rXAMOnLn81I4IwAtcHnDlNNQaFWlBsIR/Dhx4Rddc3f4SPfHlJnxo/sAKDdsM0mUCqcmPUGhl8oAWtU2gk76Ua3kaErsgqhueAqabYhacU6GeMmRl7wjPdBuA/l0K2PakLNz3QOHuO7FFeo1mGO3XPlWF5uNKD1U2Z2+jVwRAWm3UgXneig5EMaoucraMRkVWrq2yBE2Y+ZjOiodqSLYLRtXVLKkHME196hjpJ6LS5zQlI2lvB7FoQAjc2tVVzVqhJog+tEN4ZjFlW+MDBXbMOv4t5KpBRfT9p6lfF7jro4L3JZd/5DL23W8vcVbW2xuzJRCR/9Y2i0FJT4asUlnEzJCNsEb5RFGwFiWscaHtf3998olT/fIyO9j9xNqMbyipi7nHYfV/kGNAE64mMXVKoO+fCdq70oVkPXvkbPbAgvE4c6gmtyyPHfyL+BTKGlkKvMqjb4uGqM2QsRImffpVEht7KHoQ7uM9Lxeyf9JXg+57u4cHfVCsQyS8+nMbAXi9XkGRfQ69MHD2Zv/0K93f/qPVz/uvfqvrYPZmfrH+W/p7i9/+33w19pSBNZYgZ9p7cQP7hUDvzWNopMJT5P34q3vHMNCeBVV7PC9IO8Dcd6T7/3F5ntByPfuZhM/czGWpcjwD1ma6C/uOjG7lz74v+KRyfekFMDc78V7AUJ5TovCCh4QU9o7du2B5wyguRTcSOVLrrAPphcP2eHxrQLToCSOJlBhw1LlhrPbnqvpGDJXNXm/5hFei4eWirxfc9ivJffC60ktFSmY4nNmmGrBH4/tUbkf/hrgzWUNE9Xo0YkcLtNaj7xfC4sGf4VFW3PY+mWLCJG8F5V7qfaKczClSmqYNUBEYApoGo+hflyjGyqGFHqFYe2NhgLkjTBzK2EJNagc7tI7TJKg14vmWtaGRTArTMLktRndpuiYy+emx4P60fzFSATEZRVjH0XUu8yQSZnDt2cX5/YAj4f8+/nrcKKGeP9kre11AlrWxMhEqluqMpZdfUp2e9W6GO9gIidk9JO7FSiU/NCOnho+306GyTCpe1U5FXS1XTmgNMS5Pyxeo42/4QX57e1tYmFIpJpuUa35FPIU9JY/XvoIXPuL5MPMzPPNyhy5cMcKKCG5a3Li39Ju8WnOp8IdaKAbv2bmRS5vMWwZPrnsgjAuRDujdl+69IIunNqt8eqEFmIpEt/tf3wdUmIFU/FFL80ydwK7xB/L+V4ducmpcA/HzuJqb0H8jGBqbvns7y+PXiOH/dbnov8bfmEoXg9zTVzpgYQc5VbJi+rKITz+7tBOm/AMyAqf3SUjwB7B1LjHtbpEGBLg0Exk7tIbZAAsGgQp2p17MNhOhr8RJlJa6DJ3IRpGRmIeI2AalvAvjF33yM9cMT2j6jrZDAT/WBCGRSBx2K1oxwDN26EYtXCd1u5eOsoiwmCFzpA3zrJHZO4KurgTnQeGxqwQEagTMeU3TLhkPCwoDRlFznSo6lj5TddE50eI3P6ZT3gN7M6k9vsMni7jxmeyP8a8ce92GDjVLx0mjv8xDOmNnW4jZ7sed+hF8gr06nUXLffm4v9n7+2b28iRPOH/71MgtBcnux+yROrNliIm7mhJbitGlmVR7u7t0QYFVoEkRkWADaAksTf2uz+BxEuhWCWZIllu2c25vRlZIoHMBJDITGT+8hR95AlJjaV2H1bVdYJwwhmeEuEJiqo9dPCebxroJmHyBkIDN1KO6nOKfV2cT7t2b/B1SKxrj6YHXMgNggakzVAmFcFJYKz+08wTnjoPJZPnBqUg21dZMmkgFU8aiE7u9ps0Hk8aiKg4el2X/FQ8I76aKkPn2Gv2yjb7LNIS2DVyCBqvTiSJG2hCxyCWuoSipy5I5Xu+wn6Ey8u/sNtR4NM2Tv0p/N1T4OZBcuYswjlEA7EHMmno2yoz0XcuKsK4CQHvJu8MrUisGm58k6BisgC/OmKzaEFb71tfMQYfRRZ72/maZ5/54jDNzaCYxcRAJllWwenzhcalDH7FkcjY/AJAkg+Uni5ywGWzGOvu3UQ2ILaq/SvwlilTIpM2vGwu2q2JAH5hXAcM5UzRPLxgBza2qR02JCmYEfIMUi7B9i4NraXaufjoixb+V648/P4MXhZwmj7xsGB1uEuOpgOEma/hAKkbPqXfF9LlhJq9IXO7+wl5Axd2VJPhIWgcoY9EAkTcHxnJzMDo5OoMIPqha7n0kcaJ4IBIlod2/DC+04cgJt6RVyo6eUCi3MlRdwWvISTMmV/Mq3Nn3YJYoRE3blSefw8R+iCZ3HjQWjyAZOIvDK0VzYYADMZwCMVNEhodTF3xgws0ItQ1pQRYjAsRMD+uq7mddalmigrcuxWUFmhHeba0AAX4HiEYiCVkXuVvwb68QKJ1KcGz/aWSDH/42oISx99nsUGJoe/ZjAtZ+M6tuRJTZTje1UUkrBZ2iLzulcCHyJ7g7jEdDGUX+QsgFgRyG4t3he2RdWofFRroxEba8zvo+OPvDfThsoHOyFB/Qjt6swK9yPopjXtmmPmbs6+bGqybGqybGqybGqybGqybGqybGqybGqybGsyHwzDT06Bo5+aPgiuMZDh/v/ZQhg8sfK+xDIduvQ5mLIOLUBLiDx/NKLP8vYczHEffczyjwMMPE9BwXH3DiAZlMR+HST+LRTRypAhsRp25Lay2KkUzIIrhB/1KNOP44+9zS3KxBMA8wS+HHqu+xWvqdFNoclOmwEtq3fRmZm+ssOnN6vzioxxd4Mm1dLn78EFYHgtQYJKhFA9vPJdaWwRbC3Jsc7NhkGfv+VdO//Ko5xpDMoWH8NK+LENcDDGjf866hKcDxHgImAB5zoQkJAmh1y1dKRkoRMYTVeHItXuQNtv9ubAQ67Yc9g8vo2nDui3Hui3Hui3Hui3Hui3H99KWYyJ4ksXz4BAvGsizMzxi0MyQKLctsrvHByCC4rTeChgXGLOT2bBX0XSvrX3JqIj9m7tNI2JeKCADb+zqiYvmvLDtQdFEEPeU4ipr8pGmEyKjKrQvV/skQkx5Z/QB9Fci4X8m8D9ggMEPPE0JAISZ6Jz+KU9yq6j9LwSncnxblvA6UMJ+gYHn23Dd6RgzNRPerjy/KyHNb7Xg7syxnOIRkQrqF+C7Ltt09vdf7b9iUwGDCiJBjLPtCqV865rCrE7HjTGDXrAC4VihbOLu+OWACWivXr3YuTj1qtAU4Ht4TCzEFDmzBYdVw34j3LX7ROH2vFo+TjOpiKgzjFR4j7fTPZe8TNRlPX+5PHPEacE7UdutswzN9e6Sq9AxWUy48MA7yaPFdSw8jI+gu60+r/m+hVoefAslwimOyw7VbdYnTWMZzG2yBM57XXdsMAXCg4EBjbKxQgOr8WrAhfFymoowzFRZIyLIyVbZpMJqt6iL8/LsNOK3OsFuPquaMPCfq9awPoZI1ZzwpBkn8f3cZqfnp0Y/xfVam58XW5Q9LxM10h7eou7EG8vLVJzqYyMYAXQZxsc4gbBFyrNkwDOWiGl5x+VfeZq/R4+Zv+Bnfv8V7KNwHFc6QJjQegIsRuNUBW+yOSBRzMcTzFy0jAubuVKwNmeyPUIwJOkR/EcknQBMFBYCM2MsDGiqhQrjQDc3FxykLCEP4JQx+KALMHoycn5Wge1c2/PUl8pmXGpmSaLSZbE6cr51ECjcaS58lzu6hU3svdJufvc83Rbik8Pz9siB1Zt2NuaxvDH6XcaM1wHjrwSMv+No8fetJVYcKv6O48TrIPE6SDxXhfRLjxCHEBh4SMKb/iL41ZMXfG4tPn6/g3UoFU5TkvhCXzero+9UuREkAu0JWWqlodzX8gxRo4iCa0XSP8NRIRfZD20JMWPamtt8LEg0hS4vcWDmLRUSE/GIKhKrTNSlNOxaFaYqrfrD2/3efhF9oJ/RNKk5XrfZsWepcjVBPWkqZqM1frvkx9ztFv+bAB/EY0JpLUcV6n7omAoDZgrhCQDLuSEqACAHu4M35O1Bkuy3+62Dt2/77W1CWq1W/+Dtwf7+2/03b9qtOJn34McjEt/KrK677cgOXxKW4xA8ljsiDJRq1ZW8/7a/s32Q4IO3BztkZ7d1cBC/Sd7iZC/uH8QHu8XnmWDymjg6LlaGAH5aUTt4yj9NCPOQzIIPBR7Du0mK2TCDqCS3W0pCcuyWICnF/ZRskcGAxjSvekc55kDRszTi7MmY13bPn7IEloYN0YjfhwxDywK/orbaL5NENKEcpYGGKe/jtCQX8+sqRsg8nnKCVaXZd6UVImCAVdJXlFxKY8JkbbbRmRneNpfKY6YhZe6wB3pCm1RYGw9C2bsCZGosDDNi6OwLPkbdi+PfkJvujEqlRSBCm0NK2k9JDqEnJ8kDwOfZIeXW67Ke6UxwPCJ+4O2oVaN/UHlFBFPkO4cXDfP6+mVdYDUykiysGy1tqLD3VCbFFmz9rSOSplhsDflWO2pvRwez/YEBfb22gP0HPtYkmyiYnyx8IvGWDdivVOamiu9Wip5oQOFhdbnWZXozzXvfaINnDq6f1ZzC7ZhC093yPbK9vdP+Zs6RC02XbQFIfLT+gbNDwy1merJNJ6ThOtCpES5+xDxq5U8QEJfwYDSHSEzGDZRMbocN1BfkvoGY/sWQjBuIZfDrf2NRPvNiMvcLTb2WmFvQ4ixhN9jt6CB0Cor+wAn6AL18F/EIfjV+ILrgQumtj04eSJyZH19dnLz2rXy+C3P76OJLYRqksBgS5cPE0OWpZH7v785tPRbC97UUkjAo+oRpChkUpjWgBddNEFbwKZoS6PpXDuzQWHCt9dARFxMuilBWX2GzfqvSs5qUzctncnqBw+rsr3Cmx67ZrfKszfhNz2RrP9qJDvZbraj9Zre9Ny9/dDwZYVlbU80cGh+cmzEg4Bts+4sT24OtwxwVqNmEBqLwMRTQhfRfbM65S1wYUDYkYiIoU6hPGeBtw8M0wgNFBLSp1uLyfS5MU9KYJ6QZtrFEFujTubMSjTAUKcSZENpqN8apgSGMR/B2Buj5SmDvDgP1JsL2Vaj9+/v7aEAFIVMCePv9lA+31EgQrJqCmCaEW9ut9u5Wq72lBI5vKRs2xzjV9kjTCKepJ6RsGI3UOC1fVK14/21rJ94lB9vbbf1DEuO9g/0djJOd/SSZu9+666PRg2NQd0mcFuQyGqx70Tk9v4pOfjuZl796kyk9U1UZlc9kbsPr5+uHzom7heHn2Ye8jae5D3iPXYWyMwyCXz39pD1XpNBNUf0grY+zf5SGHozQCcCizhV7x0PPHTccoslWsBWDbrhjA3gXmcqpGzf9hCY3iA8UYUgqPJUuJm2mQlRJkg4QZn51NVcTatSM/qDxx11/AnjsMuTmceXl7JxhXRXKmx0h8NTitoPwsBhmAAjf0MIQysfrIWOpL3maKeL6IOcqckQQ8YZeoOI+4qlWyiaTwEhsIri2pqAQnCp6Vyg3r6zpAr+wT9mWlKONBtpopvq/M0mE/t92K9L/r70/W9Sl5dYDIInnOUwzkQjChspfUW7P6LEhVWI665kUCqCCLgcOKta2wdAc63/1s/iWKIQZTqeSSsQZGvF7P+RYm21+TdC99qe9UlDcrFFwlNBHuE38F8ZG/pj5EakNRxlDQmZyQmPKM+l7WpWX4BnmbEJ6kg4Zhrh0QodEqh5Oh1xQNaorRgo5NPbCQ34ybwhoegprN7NgBu1XL5hpnDbMqBwhz4VtAIF9e1dbueiL6qBJth/SVWhrVQ6fFADqbFVU3jfOyCYntyx1OcLbe/sLip48UPlVoPM+5ynBrEqm78yfwja3dIBwLpawN0HpyGp1trkg5fonyoY19mPS2yWIAs67T6j0H3VNlGY7kenjmg0wuIqmZDUPFJns+LADJ8lbEQuSkjvbhaUz0bvqp09dQMMo74uYjyM9J4keJnEEOfyLilphldV3tXztNSjoAIcMKdUidxo05aYrRiymE8WHAk9GNDbdymV+R4Wj3uGUJiGulHbbRSaVm0+b4HcEZSwH6LU9hd1X86+45OJ8fD/sPZYoY/AURCp66p9cXn667H05v7r80r06Oe5dfvp0teiSZQAHUxdsUNcMX7BEIXPHqLKVBgVmOFMEj2s+9HqKVZ58GA+e36A+BV4h8ydvY9RH+UHPr+DnHfiTzx9++/3tx7edXxYVrb6hFB5P5hDuY49Dx/o8YZaYZ3PfE8lvDnMp6INgHvT1UYIWP3Bblq+I7dZ2u9nS/3fV3j5stw53Wr8vemXA+Zzr6euJG2+zq7hrLhnqiIpzr918OgOURhPjY+Vff+x7zibT/hxcHCQx0EtqRHM7opAGA7BIBRhxbWZwnrqGXNp0I+nUvEYbA8QouLI5vczdDEpxSTFXWxaQr0yHVOG0aGOYp229mYaYMqkKLgfEdaamX1yh5X+lWseFtfiKzn6unMZjzJJeSufCbLmnaRJjr8JWkt5XlPL7LE0dVUhTZTYKuAu2mb9VdrM5m87H85NaX2/GxzNbFqdp7mwE8ofaxJIXsoQXGLqAqAk9MAXynt+8y0TSQfQNXg0+4nikRV54ObDq4OTs/SOvBm/3m/M/HGhO+lNFelwktdXRvptqy4z8kcHrJx88TvwZVSol6IQlFM9tAGge4knWq/EZ8ejiS6Ea91EGTpnyEd/5CBcEtmovuDAXuVdPHpQw9TYm88JlG/g2l5rcTZk/m7l8EuuY5kaFApXWz2iqTMI1hAuTCLLtMPM4nQN8ay4QGzI2rSR43stiLv7JA8Tq5+B8kGKlCCNJFftntrjZDEcSRAzGnanJM9cilDs/h7YRvF5GuF93heovxRcZvbvCblfvzPWU47m96rw7fb0IK4DAWBMT5q3XgDw+dk6eQ6vepTWReowVRuYtOSDUzrsAqYQpMQ3RmFeWUmGFmk+wCskaKNC6szg3Wg/tDXC4fZt0R3RuTz6LbNnDfVoTuV8/b07yZ5RlD+hTdxHJ13hF2Z3y1C31HEq/ucJb4PTZd95V3R1muBXdHa7H5BzEMRJ4naVGYfA44J6/bE2COcAGpg3HI9fQsrzuQfyB6IWyfl5enGFDr/apCgBz9dAGB8Qhh/SnSGb95kwzWkipZERb9Tchx9FPN8873v6L8YhuL6ZACzAwM4nPtCn/yGwkpY/7NKVqCiF6QftZKDZLx0LLDFcAn8yTgfMs8rsjzBhnyA6PYpzGtl1ubtotRfggxbU9C+qN2LV7E04ZTLYYnTVmBZTIDOsLn0elQ/7v8cFAkrpe/EsEm9mWJHnxlFBI9JyLUN8ZISy4eR69Nd6hJXL1UItReUeFynDas/irq7YLS5Ta+Rze63JE15Ec/CjFC+yEIYSDvtHVCpP91Ver4XiBq9V+8RnmyKIHx0rOCcxvqoXorfmQz9D6/GM+woIkvZT2BSQE1kSqs0zNdMhPZ56RIEWAyoChZ/GgSDqoMSfTDY/kdNznNnVRH6vneyVsqWok1zMkiFUj+HrVY1J7v9naa27vXLXeHrb2Dnd2o7d7O/M/KBnUlBqfHx9HGql6cyQzzR6MFjMvkdBmF15E+gHMi6mSMw3EZQgM6EflA3QPoNKF+m4o0IE+S46QZv5+9+XL6XEDdadyzJlL/kM/fzk9lnndN/QJdkm8MHMGrKZT/1Zqeqf5prLwTFrm+ogzqUQWwysatjl16dQOF0oOULJjPtZUTQSOFY2hFHBMFR2Gz/IXp8dIkEwCXP89SVMo+w0ecbGTZux3GAeERTomDYRjwaWcBbdBrs2Jlh6XquKNLd6Od/f2koPBwcHOm725S0nzx5XV7cJvjBzRmUkQLB7eIEFwRmLh886MTGhVs7/npfBdwcsVVea1upjJl7cFg22liBi7poyAYhZVNYjPjQXcN7YCjOnRO/PJ3Cm3iGhQjRhm1ur/wKNcRQlhe+fNvFtHH8BonOzVpL4+Hu+ZKcqTypHHWFz1rN0PnfYT0+bJcTVMvL23/8TUe+154h0LTr3X3n50apkQMk8Wx0JTd49PTi6CqefYd981zM2mu9JM2MB/v8vHBFJmUGxL7U3tuc2KEkjSMU2rCgBntdcEC61C1gncz0vgnqcyI5fsOsX7W6Z4W8GvM73/skzv6hX4jhK+qxlY533Xl/f9iMTX6d8vPv37kZX7cbLAqxlcJ4OvLhn8EQn/aDnhj7C5Tg2vKTW8Wt7rDPGviWudKP4dJIrb1fpx8sUDhr73tPGAle8yezyk/2+cRB6I4aXmkgck/iAp5WWOXnxmeZnkl55gXqb4e8gzL1P9PaWbV1D/nWadlzl54cnnZYJfeg56QPFLTUUPSFxnpC8qse8tMb2Khe8pP72K/hecpl5F7ovNVq8i9vtIWn+S8pebu15F9otNYa8i9nvJZH+K9peb0F6gep3XvpjEvof09iqyX3CWe0jud57sHrDy3eS8O5q/n9R3T/E6A36dAf8XZ8C7vfhSE+HryXV/jmDW2fDzS+ubJsU/k6xvlzb/fMK+YWL984n7hqn3zyXupSXnW+JeYI7+N0rDn19GE/It3vnr7iaTM/M36SuTM/zjdpjJefzRe83knK67zqy7zsyzT374/jOe079jJ5qyHIZzhSeeFQ0+zb1qyy80aQkq6mzir/Ps+kSPr73o5xpik1nqS8n6z+va6NvdlNZgd3t3+5nEgds1h3CfFbOyWaT1Ra1AQSXR6rfFFQyMTo9XIVtLZY36yZIbvih6gs3szdZziabqZcdfvN8AlM5EJvQOhN83TEjOOBK+Xg9Lv0dBZugoyG30pXuHfshB0H8co77g95IIJIkCbUaVJcJFge5J37SPhduaqXSK+ISwIIt83lXIJpry5+3uouNIYs6SogobYa3GCEPZpLRb2jvbzzXY7rnQxkAvoYLEiosVuh2r3zV6c1iCkSd4tvR3VihbIz4mWzilMZlbNj+GR/n3cSV/aB/yb+A8rr1GtPYan94gP7y7+Lf3E1+ig+iJ+/bun5v6JTl33nz7C123GRpegmPmSXqBbtcTJ+/H8cmcVP46j8tR8NL9qfm3wwqcLUedIEMqlZWF7Ud9Gf7u8YbU74FdZBpIg71lLxs/gN4Jxl2w5Bj2F2vXDAWWYXbyyi3RT65QCmZB94IqRWwb7D6WZH8XERbzRBtV+RF8z4VnXJQZbyCZxSN9CrtE/aLNv5MHKFy5JMPPGRFT+7tGEYwAWl3LidnxPE/HgmI0k6J1k056+nc3kUfQ4BNrbPYz5UyGAFmJKGf13hHhKiwAOSLPZvV1+1oPXJ783Ht3et65/E/DOUmcBVuyJ3///C7rHLU6v3x+d9XpdDrwb/Off8xrZ8ASmxvoa5BLMxX8xYU8MrAEpmpXL6M+KGZcVy/khXLhGcYSYZcsXPVNkL9dC7fQESy/pGwYpHHZz/vNAFOiV1qY3d8bINST3y4658e97u+vzbqHyT6eBqpy54YzYse1U9o6cMh6sxPCRtWjf/xydnUKc8HYbrg0Rf2cyjssKFRkpgDTZoZl2ZgIGgOv+c7VYx7/+uny2Gzck597n/W/CqQHuyzYRB4/KCExHeMUCWLzpY3P9YpEQ3Sz0d64qUhN2vzXxtHhtVD4WpCkp9Tkuk/Z9XiKJ5OIPJBnwNrBxipnF68G1UdhlmCRFNfbXKNWWzicDDnLodkS83Ixond1MNDp9wW5o7Be4Hi4KJeer3SNfPjn2cd5Cb4l0xro/UDvSBNuHXpnswT5AFLzS8R2P72/+rVzeXKdO0VOVZ9fXR8Zi8UWPl6fjrUZ856mBJ1AmqHeoJ9gUnl9T5kmVO+7ub0mrEY1sA/IInrsEDhEL1VDDwcnFHR01cJdLy0Qf8wrBHN9TPrZcBhUxn1FQiGdqxTReeA+G3BCe5eXNsh8FOfGEmi1oq2U/+pxU2kzwLeUROmrekwsMtUAx/oixoqgCb3jJktZ8IwlCKMJJYD14ejTeszdXYDxAh+ASyBEg7NxMKlNY4A/YlM0SbH+JGX6hjk56trMU3QVkmCHNhEmTYnVBeMGkgqCVO524gMAn4EpjE1g70YqAuMl9yUtNh9DN1aK0Y3npKMVZCyI8tnlWkKnF67miUgXYnMBPpYQAUnSDcT7kog7IhouVT3fEcom2TZQnFLCVAO5j+pTwojSRnQ04OIei4QkPTqJ0OkATXmG8GRCLL7O6YXT24rn1NPJTQM+qUlS2lwwQgOJYTSkd4RpFpSgdxSn6bSBGNeWvzbB7kfEb3OqYDIMgcT+NEc7DaY6bB9sR61oO2rvucqgZUzpGsO5nTQ1dweWIyLN9uBMC0q4DWctLoN35I5FA2TotUsmjbMJyHG5XO2oWuQjkk70dpJUZTYoC1LVU20KvUUkoKSNcBG5CsKwOcYpleiVQQIjggw4fENvNK1K4TL0BMyPBgLJ+zXKV49vCuB9yFr/KqhkqBb8iTlbXhzh581VQtD7z8fnsoESPsaUmTL7Bvia0lps9ld6k6cUy2fU3tN5knj9h0pcW31+elHJXDHWIGsDYXL7G/CvZhYBfle1CD43/yuy8vdMZlfJXTLu30/cMPoz9rBD2Y17A3FQbxAPsjUpplSGTb3uRNzJCw+146QJsIWOrmgH4ZQIFXDLuAF0AcZyj8puMpgiKCCyo5knEucfGFcqINzuwkOnmx1RyZhKePrShrTgqb7MlL7uZMN9VBMGp+D0uLt1etHN/zCggtzjNNUbmfTdkAHSSPCBTKQWJU02EGGJwX5JiLKFrVpVmKtNEvTq5PjyNZIQS/eFS0TFK9DQOFMjXtce1uaRPsFDzOif9oLkAk0kyRLOpmN31AwRcNThJ61huUGkIklBqcIauh3ndwxo98K+D127rsKiecZF8gw/LsaKDFcauSsebjeBFYs1Hu1QQeElsZ1t7D3lROBlou+qfNO4GrtqUXSUIuOJdr5OAwvujODbub3b2h/Yr8CDL72tw7Lb5XZyqGbyXcrjWyTIHxmRCizFSdZPaYyOz7umMu7D1dVFF22hq7MuYBPymKdy7qulrvLKjuHx9NioLypd1eA9VSNT8Y1kzA3Mj7aNh2Bmeps0j984tVm5cZ61Ydqt9rxySWlMmKzrESZ0s+xM1jI3NtTTmsGLxlStaZcIJwThO0zTygK/zgTHI4K2o7lT7mp9gCKFV1rgE0KBDkJ1vnNx9unon73j825PH4Le1Vl3Xt4EgYebuC4GNy/dBOjL5ZlePfw15PFwrf3qVt4G/q9ajHp4bdGbu9YGWA3c8+amRAmPs7xeuTgbuGv6ZG5u5vuJcZXvooZ2IkKERYxSym6BH5N2YQhMzSOWEUHf+Sb5JWeRvMAIKkcqXd4GYdE9vaUTklAccTHc0v/aWmh5tQVWG/bM+czOlUQ10ISnNJ42jMViLAJIRPS3rna34GQ/6+43Ja9jMu7nUGJ5gM4GT3sXVuX33hvra145ZdkL0f0Q1+HCZzF4GcGVIPM7wThPwWVgMB2+fh0UFWb5Wmi3Wub/zyu7etPWruAUm4y1LSTIHZWzpkOfaK5h70DUxHZyKbMWfYUnn5ABEg5dp27+myecp479nF5kB9mCpX3pgUCW/htD2DsVMWfMLs/AG+rGFUKCDLGAsKwk4LbIRvB5s/59ah5ujT4dpPwe3uVEkntS77lAV0cXdtSGhQ5zZBraYkLv8gwayqiiOEXd/zxHExzfEvVKOsREO6geMKfFPPqYveiNrtmZrIJMpyV5/K9cCzi5QKIctoNDhNL6RwjHKjO4C5JYZH8xRht+vA2tP+BWC4Z1VLAZwqWB/Ld/tt6jVd5aiytMU5lfFnZEQwpgt7OhW+B8ipAPGzLpFiYwfjVwYUcMYM7BOf13xsymgIcvE3W0364aLBct46o05ABUsF5Gk40462ofmeG3HAvFtzUTJsNJgiQZY6ZobJ6hHuCOxQyRB5Oq2CgodSohtDbIUv2xO6rZpX+S/AVaM0qEwoXYm4ubCj/HQDvUbkxmVKi7SEzg1D55SkXTFBETrjPYShAxAF87COKCwAY0Tb1uwpOJ4BNBsSK+pcNSTvfciF4LGVRwGsyVaBfMh7cLWFF43KfDjGcynZpdDt/x2h/ecaUv4k6pVHo1Ty8aCLu4HYSgM0YfkOR6/0QI/WcucZze46k0Af3iVY7vHU3uPNxE9hc3RmRF241p6yp/uk4y114BQuURndxoUm4iQ9ZNAyVkQuBVAHFrSyDOgoikvmZnEoewjAp4i4vkDlmQHDMOwmnKPZU20MEZH/NMWhVh5J7/2hNoNYgd6FWne/66BEsDScY4HuWRKSNKk+VJKm7uvfb+wSzPYXjmJWINzJ+t9CngpDpj72fOhylBZ2dHBSlUJPvMk9v5KILhO0jrASiVAIsTTqLdCEZhlxfo7W4x4ALb+SuULdxBJ4i954inQKXdnJXt11y7OhMEZRDiw2iQ6cvlD63DAdkpGNvE8Fn+fpA7UHhsn/7G2PbWyedIiKB3AQS+R5c2mk2bNkQrEX1/CT7OjVYmaDzSjlzZfRpwHtl/RLH9jpP1kPAopmpaV1OmI6qm1bvyI2dKEJyWyeFMUUZYFWbQSmi6uufN1CRrAb6Pv9hdLgnMvimr6T7vzOsAFJmpScDnhW5XdrIy0VyoEepA9hGuIDJjSkx7VPK6ZH5kpkCn3U8g9BKFR51Hyapra1qSKlf5CDOclCUFN1vJqSuRMyS8FwLnF5EHORtSlSXGBEuxgn+UY/j/jTZSzjYOUfPNTrTf3n2702qgjRSrjUO0uxfttfYO2m/R/2yWiKwxLrf5RRLRdKbUTMwaIyeeBsImimQMaz5AQ4FZlmIR9rVTIzJFMYDYaU+igClnTR5VjANSYYzkmDDzhgQVHCk3qXV9InIkMOet5MaFIS/NgXVNrLiBYqejwsTFcw4QlvqDxqkCH0TbLGOwbYaEO27LGrfPpeKsmcSltZlwqXBa1ynbvIDhjVrDUvKYFvMEPcmFVl+ZNpFza99mpfiUGn0vufjeLeP3DHI5kWbFgLEJ9PvpBQp4QrC1wZS+w2KK7mmiLTi41eyphsdT82NZfge7rd25w9BarIIMKWd1KrBLmOEp/dX8fPQYXTVpMEtTpQL7nJE+Ke8/7dX8yWe7eK3mWnXlNnp8/3DhNYLLdj3tnHeCz1USby+qrY4YwrWMt95lhHHZ61BB5n+2mnyFy+psiDwxasY+fHV6cberd/vpxd3+62JOxBjHdZznj52jamJmgvyM2wC+sSrNSbt8f4TetHa3AX00Gw4BxfkQnWjniceKKPTKhl4b6G2zT3MTVdv4r02PR2sa2afZe47+lU0mRMRYkv9CI/KAXeoxdLmTaEjvXKw1zD9EjnwzsUkGz5jtVUyZIkMiItTN4phISe/sB43rLskEC9clEPsRR9PJiFRo31ar2Wo1907gv3ea2zuFlWJYRUvkymxeCcykDUpBPV0YROljfVGcd658bNLiRVLrneaXH0cTQe+0uj3++PvrYDmLlw6o7pTjBPVxilkM116QUsEFEjzTt+GMY6/5nPC5CuieVagWCgCqhF+uCEx07xk+brFU0Xx7IY+2WLBXXoYliyit2EN1gNBs1RERJOlV+dIrbmxOhyMiVTCpk5GZuwGMTCYk8SRnffOnmTIfK75GUAICw1mvWlslGzO+7IZWUhvhLx7vnm4i14ANC7CMJKZSWyW29TlE+lJ6a8tFTf6EzAYD+uBHhM+8Gik1OdzaMh8xn4i4GL6O0JVJLVXcmFMPdOwf6/pTJOl4kk6Rwrf5uprIYIqlAuWa4j5JpbGcGFeQGmgQkDX3V2fH0t+jGzGPstuNsvp7zNX3Yq9zN/hJYNN7x+CJQInLSgsM9Twd0aQAkoeYTIxD4cMvNhWiuFXsdo8QOmXaQsVC0eA5AZUoAOVh27Tq/2//bjPXvPcCbkaW2sr4GLP8PQEV91UjkIBtiSDLDPVJyu+rt3n1mSiem1C2G/f39xHBUkXjqR3BbAxzMrBUG3kX91PbkNaMMsI5SLbh1ZQ7uWlym21DZv3tSGb9duHwNQqbOCevALBspRCMsdEwZ45xpASmqT4yEyIor2hXqxmY195TfNIDNr6B1iODAYEexXpWu1Es96/I1dnx64Zxmby/lMvdC82ojoZ7bgQloLes2yvBIYnKCnJ2Xj9sUGGsVwn2wfetGUErPqYU85WYTz3C7wv7JpNERPVumTBKl5cU+0znIIcD8cFj1yJm6Oy4c6FVVsdwfOyHCvfKZpk7MsY0rYm5L5oDmKDYRKdAgNaeK8Yu+cbvLJrNTZlfAxBqeiKdLu0TodAJZVIRu7EKEoFH1L9s25k8mtr3nWGythyix7tz2Dwhm0YEDztbLqu9YnsaOmsMnIYrYSYrE1EnDJSVFGgbqNGB8JswNVCFhENTYGXUEkOYcTYd0z+DjHQjQv/PL5IMslQfhhvggibmVRr+obm78SZAzNnArNVskiNLKqwq7fxVbaqvItKsZivZ1YIpZ093t9lu7jW3283t1vbu9u5Be/vN2zfN7f2D7d3tg93WbnN7Z699sLf/5u1+s91qtcpMrC4k+I31YHekvU9m0exTPqTsSVHhiDyqAwVPa8Ob6Lg6StjKMJN7lYDoo6X50QKKW9rHDPdwMqZso4E2BAGrmw17esCvVlWEOXMOgDFImnO/erKolbhvl1KwVPg3U0QCEYo8MzxoN32PJYp5mpIYgI/sb6+gm5odGMr9pjxDA8oScxy9ckj5UFqt4LvuuLmhHNpkIdqTOuBcMa7IIaqg376iS5IOmqapnHXj7Ocs1ln0k4HNsL806JDRTyhPfPaCMF/Q/FsMSfsln2HjEqaghDfm8PSuBZapITcwEqZoooEg986YkunU7YgP/J5ASatyjWOkiQnNQ+84084qV5pnrfu0QnNrok1r4wFyrmbkRFSeE2szfwsrb3L9ClvLdruzabDmjSdvdiNzweQk68XQasBD+hUlZocN5eYLTLjw2ZiztNmEBYPsYblySanm61G+AcvU5Wv9FfL0oKVFdDSLx6izm+RJyl5wjlvHPgWYUlx4CnVJmNRvyuJ5B70w6/oFcCjoy+VpXszn3hpe0cnd7qEJ7wr0Lzq52/8v+Odrk/wmiMki9MMCTsQrkw4nq/ogvdmOtvejVrR9uLe7MzcUNWF3VHA2JnP1oF9Ipqd5WpmpPPMzWjGHupZKJDLGihBFNqoCcGDugyJjoII8Alg4sESvLBSheRlTeEjZsIE+dxrBdXxHUj4ZQ8ETUXH0ulGiT/vuvieayTTSVy12wDWOqjziYE9ZDlJm7GSvNLUaC2o3ZRD31twFk5eXOGdp7tWdjMiYCJzW2MDvxM1RMu2CE/OKDgACiDxQqbfvzHGhCWLaVk3TqcUfla7JnCAAKChNB78bJ2BtBCecSK39y5J6i3cHe63WoCCMWqzaiv6FvkIAtnG+JU4Hszs95uOJoDIw/fnAgF0wnhCbfVFgOdcrfsuA4QCBm4TICsHar5SaD4bEWASuMb7V97pCEy4l7RuQPG+n5KEoba/ojTwmStDY2C4A8DRjvRQhI7ThBAHjOEuxAHr9kGRMFSS05gaj/9s5VzaxmhpsC0bMlS0Jyb9gT1KBDIhl84LY8/MfpHCbimnjzGKFbvT3rGelHS34p5Y+mNm4Ioia7Lwhe6Q/IC1M9uPdgzfbSZ8cDFrtN7u4vb/zpt9/u737ZrBf2I815SwUYhJus5nM9ydvLVLK2LS71J9MsPMBGMTuF5ym/N4sv+9zH2xmr/RAqiIDLAEfDweUiaKXbCwFV4/g9Cy8d+YnhPkwf3hDWNMFS+DgJMVS0dgibxROkXOYw8i5eWjMpPJJ2igICr8jWMmqQUxo1Sph6Lw58SiG/qN6IW9y196gyAz0wTBvM0Hf0orgfMhH0x634ibiCak1H83tJuy3BEw5o2eCnaDuudFF4QUZXtvMps/7v8ExDUouQ1xPSK8CQ9vAmzSCRXCse7WYp5P1XbdVP6i9TjxlDuLGjTbfXppRyQEJ5R01Q4D+rFnzoP6uuFHtHow0CXp6WWEg6UuPbW7mYQWA8rZ2O7ziAXN+tsbMqx4XjkgLABKCjueRDA4nmrJhRuXIr1p+KOFI6/sCZZPCVW/vOS41qSgMOFk8RysXBlYw5C14lVC2rSp3Ta5g3O55jZpGK3gZW6bGmJmiLUkqzAQ3X7Nl/9Muamjrya19jtX6HFasa9fjR3Y93CKvPZDniGvto6x9lJfgo8y/Y9dezNqLWdiLecY2W/s5az9n7ees1s+Z//jJAFx3pSWCBrEZwfgz0pgbmNPSWBM+OjwTO/ykZ99G8MWZtl7GLq94Ay7YK95SKDxCGk6CSU7cIp8OzCBc+DGwIDPUzZ7yRxT8vbPgbgq6++Yruv2ZC1aJ37OaNful2GrOLZl7t5/Dm7aaXnGUcn6LsL4aDR4oUebZdObFPuhu5++Qsrx2ou1o7jaLf92p8+kt5rV4HQFZbQTEinUdAfmRIyBukdcRkOeIax0BWUdAvpMIiN2x6wjIOgJSZwTEbbN1BGQdAVlHQL55BMQevxcdAbE0riMg30sExC7YOgLyNTmtd/RL2NFPIm7/TfarD8rlESJXbpT/5olqI/MpV6jj2hqVoJ6RJKbOZBCgdTuo4y0DuBIUeMhC06QAe1lvDFyEg25YvJYQwB1AL62ZEIKhGKoKRITQ2HkPv5CpAF/6K8jSIZ6NhZfOeXoMQDmYJeZM0gRQHbTMtGuRUkbCZsAGJdiO2nfQy1BTzIp8y8cmdGIoCtPt9RAp/DSodTOhJz+2izlYyAuHJGmwr11Vk3dYoIzONJOr/pyTgufSwMZ5cX9fONJW7msc6TWO9BpH+i/FkTYn0bVqz5XgCwSTNqSuwaRXL/I1mPQaTHoNJr0Gk16DSa/BpNdg0msw6e8TTNrYhy8ETBqIWYNJvxgwabs7vgKirLUyRF7y6497fOVKIOWgtxtSAkNskQ1fPLD0o+KIlpTHCwSWnt/F/Ybo0lY/oJeELm0EtUaXXqNLr9Gl1+jSa3TpNbr0Gl16jS69Rpdeo0uv0aXX6NJrdOk1uvTfBl1ajQTBRso22+sq/83j2V4b702Wjj6mKZaSDqauAAaK0FIi9I9xzEXiDCs7F1L4gTM+nl5bCq+9UaQZ/nh6dXmCOldX/+fon9cPnRM0EHhMtE0VXbNSQpjWBprfAiX5wJYOk9/kvRwqbAjAxcROj7sNdP7z+19trZ7La8co5uOx1tKW5CgfGuLLwFCkcKxoHP0UEjYmmEEjf5cIp2wswhrFrtU+4oN8TOXHtIRdb9DxBMfqeuN1VJiRxCNQCE9Pmo9sUnBuKYMoB9i4OB55fOj+1D1TKZN/aOZpwLrFMR9PUirhzSYfcshx6skkLIEXRpQQprWn9tNMwqEmfeN/oSVTtvKEgnnOo0EGrzx1xhPQMsjfoyhLtEvNhUS8/28SK2nnc6Fjm12IWVIw/gMgaYhcuyEpZ1tBBsS8/mHAY+RJmoNbQ3MVt5/gL0H64yNcV3C7HNXR3ymZaxkhvfTsr+USvBaWjLPE4rrs3Y28bvy6p9Va746whIsmI5kS8GbtKLjuCQCjv+5lEv4n0IJaD55zRrbO+P3WR5LQbLz1gQ5H1z0Z4zRP9aQMdSaQEfmAOu5q716d/oa2o3Z4wwXj/mII8tncOUUIBvfNEEz+FZYozqTiY5dvfM1OHiagzcNR7+z7uiCH1wyhnyCzoOsq+9yvGDE/nfF784PhzfysGdyYXXnzgeVWPVihmpb92KVhmKvWFkiYJGct4CSL3dtiftnOsnp6gR4i+H+QtG8aJkD+SUrviHBqtMOGKRHo5J9LqlIIXdSMUBGgKHgzzVNgn0cLIRT0ioq824XfX3xg/XjK2euS4CYjKkf/bzb+v7BgBjQlEYYXWjKPB5/kBW5F5/MMnje00Q2BdJoaLA43dGUROOMKLEr9aXO/SHRLyAQpgeNbs6v012Hc6CvG+HycKlu4XB9MiXNJQAT5fIEAOv6X9qkgz6rpT5GPYKAPRJDNTQnlm6xJHkY4kxCaceaX0UOBOaXtJ0EQsTrL5KW7pJ9DhEU8onekYdAKYF0aecyogQiLxXSiSJIH/ckDiTNFGmhEk4SwBhIEJ+a/9TXXsHZBA90LqioKYzb/teE+qx0s8+mvOlZzrWXME9KTdMiwNtOjhA6JVD2cDrmgajSua4HhPRRLsPT8ZL7ES9NjQuiCxxAm9aKcCciHBbWeCyjx1T4T7B4qkc2m8E84UMeQB1CmQUm1/qQA8A0b08+BV4xscnLL6yRHeHtv7nLX+VfF4Ih8JQjS5zwlmFWJ+535U+gEUqjEcjNoIdmElrKHr92hGraa/omyYY1YLXqTBWGqeXdX0KqogA0S4NlADfQAx5oRk3yDJB+oe603jPkWBWMSB2IgkSApubOucWei9+JPn7pQMlf1/jKO9JwkepjE0UTwh2kNq6CwyuqEm6L6x9kopi/Bi4mwFVsEGVKqV2OQmTeslA+HkI2uVSwfCjwZ0RgRIbTz6LM5w1HvcEqTMLuWC+3gS+XmQ2cE3xGUsaCObuDytOCr+VdcPnk+vh9W39MZi0ckvq3CpTi5vPx02ftyfnX5pXt1cty7/PTpqobVzMDPriuvsmuGL9SIQKarUZslS5zGgutzgY64mHCBn9VQZ26mFcHjmrWInmKVqgTG48LqClsW6xSIxb8Kep75QZ+pQU4+f/jt97cf33Z+qUHq+g5VeDxPxuBj9u6xPqCYJcbkvfeVmG5LmbtJn6whYcRkOkJ9Jtzn5Ztqu7Xdbrb0/121tw/brcOd1u813FygC+Yy9J+4kze7igvn/gX6qELHoHhUzHf5RSsm05cu//pj33POuYmdQuCqYYQ+orkRVMhEcb3qco2obSTOU4tRgm1nQQTqzlhPRpmWTdearAfQzUuuQLVZZJ6Ah1ThtGggaY8aMqLwEFMWFK5BXTRl2vWAQGwBravydsGFZfrK1bE6EWpvejkH9b22qGEcfY+DRzmvTwrFv2aLFr6/Es70SCt2vHOv04JCYFNiA/AA1a64A/OzcWEYxu4I455mE00BuhnrqW4sJhjV55JIdANcBDAS+hsQVfs36Bv3KAeOiv5oA0nKYj8cJCmwnG6fj6cltAopJySA0lh9QMyiUJhmoUEacchGyeNK8CoYc957Xbz5LJAce8r5pvYtIUKnvq7d5nkaTSTCqJapzmxY/zavTCrJZWvEx2QLp/l6LSUfTUTPTL6siCqP3zEU99ra0ydkdJUXX1FprilnD+X2PUO/UpbwezlTC2KiBjl2gK/XMNeh1lmh5GOeVpWwLfmeAPIk6SCCMJIi4ELWtO0+4ngEUB3BVO40nZy9rz5RD2/3m/tzowZ9hcn+VJEeF8ny2+YRFt9NteNI/sjgNYIPHufrjCqVEnTCEopX4YRo9uJJ1ivjJq2MuaOLLwXopEd5O2WKpKviyV7OvaSEwvasK/XkQQkM8VNQVh5B1ReJ6Bk3pb9YI3RqiLHhu9znUWAg9TOaKoO0N57Q1GrM2OEP9wka4FtjqY5xCo4UsMKFXPLZw4uGPEy4mOvZf5BipQirfvk/s4FnMxxJEEkJwDCbODaY5tMJWRnZI4ITIiLcp71KVKmV7dcZYCm9XTtBzOydMZHhHXuAY4Jedd6dvl4xl5B5UxN/H2AKk9zz2JlcERtBy/uVGyPailVYn8WABzvvarkgTIlpWO+/sgI7uxT5BDWvh8lsqfn8bG60HtobBj3awZs4fuRKLPiQI9nDfVoTJ18/9m69zijLHtCn7orXq8Zb2W69py7mFTHxzbX1apUAHa/0ujTD1X9dSltbPAfdj2f3bXYYwvCIHaa8MZshZ8pxcDxCdrLyRip4LrdkaiNvufdin+ssapokPmEwBHbrT5HM+k2Th+OHhIJARrAaoZuQ4+inm5VpGT9mPKLbi2n/Qtpe0TAe0ab8I7PB8j7u05SqaY6oXkC3jMPC45WxpW8ePpknYPAszrojzBhnyA6PYpzGWWrrDXx5dU08DVI8rMt20ju7azc7nGiYbOUs1FiYUuIgzDtcGQMOhKfHBwNJ6mpWU+LFzFYfN5L+Oc+6PAdbr8SDxy/Sk62clRotihInBqR4xQzcUaEynPbmz997lkVeYsLOVyx1rIGfxbfWAsysdmsNly8jmN/QgMn+akPDcLxaQ8OO+Qy7bdFDaoXqZOm34qpZqVnXzLCxUm0zwoIkvZT2BRa0tgRR5xOY6ZCfrlhDlPO6KvYUSQc1Fp+64ZGcjvs8NfWn+giv1MHU1NYZxYA3Yj9LA5GHOM0Sl6yQEgw/J7y6p5XPAoHHH8g0KsBv+IEleuUSuBUW0fDP1w14EfJjelQE6APg9Zl96k/Qq43hnxsNePfZMCNsVPQdnAQ3xOJCH3Bxu+Kq/plrQO+TW3gCznPuTH/HGbhDHLzK++PhhfaJmZBMI+jR6If2aU/wlD87UWl0P6idBXXsy7pBA9fLipXeEHaNYBpXlw5DWvgW80CXz+cH1t8w1SeQIlvk4/zqfbdhNAG8jOOUD3kGr/OYoU4KaFuKmIBoVwmCx+hV57j72qXHELfkflTT5MB81JR/uyfKf2dSaW8tJQn638edq06EfueMRKd50phpcDeGV8tCY6D+1L1YQuYApO3btAGJEn7PUo4dsHGxFAx1GOocd+HB3OGB5VK37+ZcjA/RzdHh9QSr0bXi15pmcF78WTqUfEx6fpPeGAnczPzWj2zf582DamguuCQXdJN/K0I35Qldeyk/ZPBNfV5CKkpfmv1w/gHImct3R5am0Fe0YT+of75pmMSK8KkXNl6AzBAc/3ARA5d9cU0wrC1T8ULQMRZTi+hweoxe/Xx6/PrJ9InNdqvVXoUlltfS1s1XmHtaydOqkh705RuNk72auPp4vAf3+yqudBhHjnC7Jlq7HzrtlRObV0rUQO723v7KCd5rzxPIXJDgvfb2igmWCSF1Hclu9/jk5GJlBFNWwiZeXUEhK0HZ56lFuaXpehzMKsjtvf2dtzurUJFjOiZ1Zot8PP14Yl6lXBpZmHFu8W8DxYm4cKYMHxTCbAhBfTEaKTWRh1tb9/f3EcUMR1wMt7CUdGi6T2+NSUJxE15fwp+jh5Eap/867fiWANoYGdCY4tS81fxXw2Z5ubSQCP2q7f6xSRHFDOxBYIZKV3jTt4BufswxlyrvMRWy7jBxVrFs9W3NjwASPijsRx4rnObbtRo1dbO1v9tayZ5cMm+2Im3W57tqp40npk3rCkj9RpBTdh1CjzVwZbWL40qXfNJoaXmcW7oa15Hfs9rS58BVhwk2wbsTlVgKq7KotPm9OkZWjyrx3vkLYQJ3Y2Y3+LBERcZuIfSQBDmtz8vY3VrtBpqQb5FsenTxpZhoahpven++Otl0JZmmEyjhn2BWV/72qUfmNtOUnJCGa8QLSfo2Q7FpyiNmWK6rKG5CvgFqhRfETIeTBeRwgcM2MEvxrf+35tQsz/hdMWvmmUzvRzvRwX6rFbXf7Lb3VsM9HU/qxEPsmCi05dfm9ADgIbo4MacadRiyVKBmE4Ci4WMooAvpv8x0ch1QNiRiIihTpn4KoI/utKIcKCKQIEaYtp2j66QZ84Q0gc9c3wrMpK8vlqZ/N4/jTAiSNCzmmGnLamp0rKUpsA9hAvUGC6JYvSWsWYpVwSAeUEHIFDTPVj/lwy0DVtLUdpvWg1vbrfbuVqu9BfE8yoZNm5bcNMJpWviDSNvKFb0a4v23rZ14lxxsb7f1D0mM9w72dzBOdvaTZLCavePSDHtwhGo0sfz5WUZzdi86p+dX0clvJ6vh3hba1s2ynWYZ1jf8rQFAhDZaDD9/mhCDCoW6BhZkBbJ5/pN6xQuQHkTrCfAsC5H5oGrH2EUmOqsHhSK2Df3PCkDq9v7O21XYC8Yy6b10c/TKGFBgkGorSk7HKWW3K3lurjEOAYsPzvgrs8sTKqB7gKW/jMakP7YCnrLaIutXDn789Bi9+gJBdYEkiTNB1TTEBXjVnYm4G+eqvrj7w17rIML2KYveGR1e+6u7hYEI5rXJuK+6nfPXkXGoIdDjAZmqIDNwpkYcRAiwxkFFNGyffqbyBzOHjJw3oSKygY7PuyjkGKFXtsFaEmORSPuUVwAMyzOF8+X4KbKd2KOYr2xZqJQZEZFhoc7L1a2LhYiFe+bV0TlsRE0EAKYE0vVyLwnCtsOHCDqg66GOlJnALCaoa5piH83d5nNu+UCzu9plY7rrvTp6DQaknGX9S3fFfAXQVCSpc/mPw4ns6h8vsvpH//jSbaBP/3C74JTFDfTpyz+gcUqOlddAR+f/eGKn+LNY146BdpU5pE9dW8ZN43Tb2euSRao3ldZKv1Byv2ImQzzWmhkNp5Lo1aclFMcpi2uUA057GaN1GexV4sAp0jNqqXxZQCwzJ2fFopEKQ3l1D/yI+iBq/b2v59Omj5vP3/pXDdQFG++idEaOcEoHXDC6CqAG4J5x1YMAwRzsPvZwcUXH4NGbyMAsbg6ViHFwbyDcwCRNoPEUgM6UFnm7td1qtt402/uotXPY3jvcOfj/Wq3D1tyNWudhuE8GfK7Y7cIcD6iQah5u2wfN1lvgtn242zrc3lstt6YnUu+WTGuHoeyUkCcdzlTYwOmWlA/2ZXdll1rAb5yJu7oOsfZhYPwgR5Ygkqb6A7H9U85xAHMJqBv+UqcyAOx0j68l+TAq1WRvu12DkMjDhDPy3JLiGWwCM4Rf9oTAY83MonsMtzkY3t/b23njFoQl5GGmMQiPeya4ONswZHWCWTJqA00J6Z8+RBXsBTnBsYnlUFX2nrZbu29XxY4kguK0Nzdi/xINbMxUDosfrlR/LKpvd2j2BApSKsLiaQ7w65qrm4xI2DGTEWYZtGtuIBrWU5gwtUvH5eDkptrw0p6qx6TxQ8cjDDgaoiz4vb33794dHL05Pnn3vnXwtnVw3N4+OuqsTDN59LPaFfFpsS9VARXUQ7AFGulXYh4HxkTLTIa98IxJMuAZA+Tmnzk6w2yIjgAw1FYKTCPUJcSH84dUjbI+RPKHPMVsuDXkW/2U97eGvB21d7ekiLcM4uiWFgz8VzTk/3G2s/Omebazt1NuewQpaM0VXhM26PLXhBOkjyc4MmYZNpUY0TDlfZx6m5eRVTzxzfD/V4QL6osWOL5eQrighMhrA336cD4aL+he/SO38Rvo7B9dzNB7gVlMZcyDeEJDe4cRRA++2W55MaGCglBWzeVfHSt4TCkUFr5Opl9AYGBGBitj82/q5Ns8i3otwQACRU9qTbPSNt5ZlikhVU8SMs/ZfNR9NyVRs3DJlCntwg1NMx5brQWOvOnCRwAseaSK3YK1V+PJm+V2E+IZ7XaztXfVfnO4vXe4+yZqtZZGUh4SHsVUTesCJz9y+recOMCZEgQviZAH9HOmqPYce3EpLXglTFzd86aFwYxLeet+9k1Zzej5ktZmkcWa1um8AB5vJyuzwoUaoQ44UEsqFcMV2HM9KnldS3dkTcbT7idYu7K5tJLVMXzUdYYsD5W76wgzvCzcruYB0FxLlkqJ/iHhvRA7rnhbcTakKkuMPkyxgn+Uddl/o42Us41D1HyzE+23d9/utBpoI8Vq4xDt7kV7rb2D9lv0PytQbXUW936RRDQd1MJM6iVGTp4NBxBt+nryARoKzLIUi7D9hRqRKYqx9qf7PAtLZo9chEKPESQrUWHqXmPCFBHSNNUfpJwLGzxp+PhH4rqa+UENeWkOzmJ8iQaKvblcLAPPC1lNdI4yaKQ4hgLmIeGO23J6UJ9LxVkzWfIFSi/mhEuF07o0xeYFDG80/Gx5Niyg47EA+Q/d8vIMcptZ7QGRx3jqoVBvGb9n0C0NaVZgIi7Q76cXoTeLkE2WsH2z7mlC0qkpM3YOMHS/hh/LAj/Ybe0uGfbXwhZkqC29GlXzJczwlGZufl4S1zlgpCbdbJmoVM2fM9InK9j32rD8k7NaLBvXTlqP7+7/XHW5xsunnfNO8LlKbq1VsNURQ7CM8Na7jDAuex0qAqyohaRA5ymZ9B96duvCPH2p2LcQ8YE/lE/0LWxH29FOtGQOZIq/qTsCEBwvzhsZY3FL2TBSaV01shtXAg8GNEZnmmV0IbjiMU8hUqqteUuBjNClC2WbR9e8K2rYLhX9hH79cHp1Yjqf/nx5cnJufux8fHdyaX68PDkutUP9dUTVkq9Nroyvh+eJsKxqy7hZw85hXh7+7vv2O0dv5DnE8Ngz29e1BKCe+B7RC2iJ3d0lIxY2L72usMtV0b7M2d+ULiW+vJyp+LOXiXSEsyU1vCDQz7G2QNqlGx99uTxDKWW3UDrIQ7ycqmZ4T25m91Rly9SDnKIt/6WtVqvV3t5Z8nbQRozU5h6A8odl4St3az45kGuYBZqfKsKMGdzHkuzvIsJinmg9nVvC77nwcDmOWMRNFQRnMjclukSB1XzyACrnkgw/Z0RM7e8axf5XMYdzxlni2/dYBCKtoOBh+Cad9PTvbvLEAD6xC9rPlNu6QWNRE8gRJOZ3RDiUWmhglqPr+bZQWqVdnvzce3d63rn8T8O5vxAqgGk+v8s6R63OL5/fXXU6nQ782/znH6vcAQYk8WvNR13GdeU6H7mScK3v9SrrA2HGddDNXmYXXh7GYDLYhlXfhOWxS+VJht0hKRumuZNjP+/3iklMf6Vl3f29ATI/+e2ic37c6/7+2gJG5QuU00BVXswGkGIwrp3StiCRJoQOE8I+1qN//HJ2dQpzwdhuOOju5Ee8w4ICKH9K2FCNzLA2gwB4zTe2HvP410+Xx2Zfn/zc+6z/VSA92ITBHvMeZkJiOi4BDaBXJBqim432xk0FEtrmvzaODq+FwteCJD2lJtd9yq7HUzyZROSBLN2PuLjvyhUqq2lhqTBLsEiK28HgZFpd47G3ZgVgdsyKmBzR2VSvlfDX6fcFuTPxBLhjXf21nq90rXz459nHFfFzS6Y1sPOB3pGmIKkpMoFSKD4AmNJyysWn91e/di5PrvNaOXdNnF9dH2VCEKbsi8/16RgPiSlVOoHm3Hr3f4JJ5fU9ZZpQvalXJJxyqdlKpPM+BzjLQQpMc3JI4WP2+qha9uul5eVVTIXcro9JPxsOl0VM8wIM2ajrMcIkb1krpLS9VsOQjDFjRPSkwnMB/z7mRUCgXhPe+WXr5PjSNpJ12L0ZNPwfZGk6RQlRpo39GKc0pjyTYb0dtEP+cnlW9iGW5NO6+cvweG48IL06dAydUkMTGQBmeF8ScUcSrbKTLLboTuBTQY/SqqyV7SVDljWWTm5c2aYiBYfQ39HGDD2aaql8As7BYKAMda9Of0PbUSsKIwblsMKhCRPgTHHGxzyTTeNP2F8LRQc4VuZfHt6mFIZI+BhT1tQyMh+F8romThJh/q33l/mJTu52gz/Qyd2+/efMmGMcB58bZ4o8mB+1L2x/Mi2WzT9cs2Tzr0yk1wyFQ/4E9ZpNHEPw2nzq3mi3plMqzVsyNX952GsdNIPEp1IQxfOx3NbJRBoZ6dXlUh3D6E6jZSLNrcYNKEbxZY4bgdF9ypDkY4JiLCEsoR3XMZ4icJUtXurphb5Ptrgw4QmzPdJpjomEUYE15EBymDm4ptEioJfmMVADyTDkzo6/MUPcmCeNkELDkCbMVoJqOlOqiMApOr242/djEhan3Ka43/zrxmCI/tcNenV6cvUeXb4/8oNuv9nZfm1oCj+YZ9w6N8A9q3joYAsc58jNw1JAdslyLkp++T1UO4Sz7zyeS9tXNPvJczxa361KaDco6IwMG3Ae/Oer8uiuwackCtEBospg/MqG3syMK0TuiJjqKQyS8Mz3ZwZ3006IoDxB40yaLsV9h/ZFEuNyEZezlpsE8OE+QRsTNtzIk74BODrSv/t7AFnrnTcQGEDj69p4FwbwOVBgFgsGjtt/3ATqTPHJxswi3/zHjandUmiCRY52aIletucACCBL0zmYn4mHrB4c4nRg4I2/XJ6ZTgwGVQYzpXXplGdC34C51p0GGwfgu/MIAWXoxrF2A0hlALOjCr12BYk5k0pkYEtCemDYFgJge3I2TBz/0ShmUR8e7u7ubBnQnP/7xz/s782//0PxyfJr5tTTS1i3zS/MP2x4tQnbXCJJ4D0kl6eXY4V6oQwxou65uEVjzqjigrKh0VreKnb3eJ9o9Wi3i4XexDLcABg8BpTyoc3v0F/VGnigCDPg5qEZap4psBoVDmC4X8bEbkX/NT8slq6nqyO0Aeg3KTGJp4yrsvZaaOvo0R758/K7aoKlDBTcylGv7fBOidmrdcn8YkP4XLg3T4V0L2wgJiAs0MxW5BuroPXZj21fb+6j75hHid/dLRfzLP2epjn5IyO1Va2AvQYT2APo87CASfMXG5WuYtyfYb16MweldMf+X7hjjVEXNiUIZ4n0/YSL5jrj+rugXUQefjCl1gHtkbX1hamjg/n6mfKfagSTGWaNWehHNG0oGCLjicrpAdLNJ2/st2fQ6BI6gIc7BclVfaLuSdCFWk+q7rlxkVZhSBgvlAiS9Op1Ca8g+DscEdDhblK4c8zEDRDSZEK8rpFZ3/xp5tmtYBsHY5kPQ6h5Y8B5+Dy5AYBe4S9mrwxjY9vFSIgiYgx5jhNBYipJOnWNRVIqFUrpbaFOV2aDAX3wI8JnXunL4nBry3zEfCLiYvg6Qldi6l5jJxPBH+jYFHtTCS2s6HiSTpHCt8UMFWt+6/VPcZ+k0rzeaDsTLuB7kqbA/dXZscz1YMyj7LYCx2xliBB6H8l4ROrLPO3C6I+reriWZ/0f88J/c1hpjBt6H7ngVyAOt3XrPE5+EtegxiTimoDrHxlOjX1nPwOun3Uyg8TYNHUiMQU25CEmE2MljbhtL2k6qM0cN6svIojbYBAuLTR+maUAinaomcsoT/i77c/ss4XBVdJGIswcY8Z4buAWzmYjkEAejpllqE9Sfl+tKqr1SlH3hLI1sSssVTSe2hHM4TLaBUvljQ0fK7KjFHxu4FXaci2v/dxmlll/W2+gdkGBNQqKICfPXD7Wq3LwZPkYGyYypu8tJTBN8+BDhULAcsnKR731FZ/0gMFvcKGQwcCmJGkz22whK5dX5Ors+HXDBM18InK+IrmTCIq54boJgYoNNUVwfCpCM7Pz5jG4/JN6/WCHfN/3Dtw5j105+UrMd/nA75ffbA4svqZN9sUOv1rvZ42W+NLQEtdAiXOK5ofASFzDI9YAj/ijIyOuQRHXeIhflcrfCiXh74SC+LcBQPwbYR+uYQ+fJ5814mFZJt8v2OEa5/Bl4ByuIQ5fBsTh3xjd8AcENlxjGta5R16Mf79COMO/G5Lhjw9i+PfFL/wxoAshjZEkEVZ8TOO67SHz+mfmCgpfjIkJqY6WHo8lRdgdFZyNw4xTwhIo1YYEQpsXCTmUJZH0cdL0b8gLhaCcfODD30Y85rHZXmclWVVJKZCMl9YzpARInNDfX47w9t7+MnKqrS/bjJB6NClBSmg/NLO8a8p8U+9qrgcHO5iQvebbfdxu7uL9drPfIvvNVpzEO+2dpNXuL9S11UtC+8nfShh6rmXlQVPSJ1g130atqNXcbm23o9ZetL3TbLVarfZCcQ4nixrr6GZEoWxVHcxsDkuMTSDEZ1orKPAxdAa58b5gfkjvIDnbinFWUP4PPZMDLrL5WxoOBB4TfRRrkkZY42qLI/2UeS/eTJjmulgR7YP+aXB64hRLSQfFWhSFY0Vjg+ND4pEJM/iHegv0ZGaKtJVop7Jj0bgI5WMzMHwv1L6rWQWsB6hPlA1E9H1gcCEUomxIpIKyULjQBVGCO5CcsHAGD4eGPVjkcmTh4+nV5QnqXF39n6N/FtZkKHg2iXBKcV3pARtXWpPrCV4R6T0VmBcCBBgKn/gAQfU71JwpkcGd70pbw4JH2NXY9DSOb40YceGh2xYW+LaV+m/a+ptG1+zXEdQocRUOKcgfGYX+yVOewTJlkiBcEBq0oDVEe16iUvnk5r/Qxkc8JDEWCv0Mn97fQPPjRZjVqO0agaXI745nrQEIPpTa8muQCz4cd641oElZ+D+3Wj5OO6eka/TUN2bBn77jHQ+ZaSV5vz89n9taMuKuG5EKZC4KsFTPEH5hc4e7fnHh50NWbPr5ZF9gp7wILu6JlcLxbTSmShDtbG/Bt+UWHIqteZcpd/CwjOZ26x57e7BxeRuQxymAYJprCqx7X51vbz9TvJD/2gvP/NkjxXW656+1P/9HRtKgK7FEBMcjb+5zsy6mOzkpm3ztvfb+wUKCCSMLK1Yhq6/D+xQQW40y+jPnw5Sgs7O5kWFzacScDfQC1HekcxP3uqdG5LpnEECajGRKALawo+C6Z/rDX/fgFcF8PDjT55yRrTN+v/WRJDQbb32gw9F1T8Y4JchhTlOGOpMJYQl9QB2nPCzoRDu3JgvwE78Ygtz7YUARgsGlL01MElNSGGdS8bHxdWV0zU4eJgBdEo5awMdE6CeAjO6aOUjifsUsMMQZvzc/GN7Mz5rBksIwH3j+SgerUtNSHxdquZwvgwH70eGe5C961uyeZe/0Aj1E8P+KuCkJSekdEc4L7LBhSgQ6+efcEcBcEpA2Gtm00fodu0chdgvpq0X8TL+P+OAp/MzJiMrR/1sgT2mmkYkpqiXzmK2PJa1snmHr6ORQAnoB3dCVpcH6OsVpCp+2DhS6JWRiLmuze6DcV487fy3bLHdKCdrPasSH7ABQHh8YtvP5AqY7/pc2zJujmfenaJJiNeBiHKEPRJDNTb1rGGdN8jDCmYRM7NSGjY1eCdxca98Qq4OMPeMqnA8RFrEB2or5eAKJ0kkjx8xpIMLgNZUk+eM5AeAs0kAjmiSENZAgODH/ra+qhr3PGwBBVVEhtfmvDffZjQbaMJ9+BurezPrFPCE9//QcJVT71LU/g5tyRCwh8IRLOUiaHpOQYdB+Hi/aCN4W8wd0aVA3LBYIlfAXkuQFQIAk5Ye0OlNqexU+KSCN3tZ9+IJQZGQTvM6X1uZ5QdKnV6JQz/oY2Fmf85RgViXid+ZPAN1vIEIQHWgD36cZUOngG8rJ/UpkZEVbSv9E2bBXm+O+aRx3n1gx7y6i0n/UfttsBDyZpK4sboxZNsCxQVgB78ZhTlmwtSgYk4RAGSm5s9gHnYnecz996gKeS1UtzjjSc5LoYRJHE8EfpiuSvMIqq08vPw1kPPPeDqRUr8AgMzVMKR8OIYkYElCGAk9GNEZECC5kHoINR4XUzLCtCRdI+6vKzYfOCL4jKGM5+Cn1MH/w1fwr5SwBP6y+azMWj4h2cssLeHJ5+emy9+X86vJL9+rkuHf56dPVilbQPJ/W1Uyia7MgWKEZU+LUYMk6dhCR6IiLCRdhBHdJRhXB45o1hJ5ilWoCxuPC6gFT++uVw0RwbZFHuVbwgz5TO5x8/vDb728/vu38siJJ67tP4fE8DQ8es0ePywD+ha1j7hd9alw2cWIAr+EersTobzdb+v+u2tuH7dbhzjPw+b/Crj7bcxnfT9ylm13FhXO9Av1SlVkUj4qVzb9oRYOV860e0zXme84ZBiAc+H1iqvEKKOWFmmOo9CvAO2t7hvPUwoBi+xyCQH0ZS8cox7JpucJbH/TrklKvNmGgKJgOqcJp0ZjRHizUu+MhpizAn9Pf6FOm3QEL6hysT+UNgQtL8xX1v5zYtPe6nHMIeLwwjr5/wZub1x8EDDCzFQvfX5gb/e0VO7q5x6e17ZgobPqQjTAbPuL6mr95CH8YJnbw89o1zCbQg+RmrKfySP76zBGJboCLHM7RYrQjnPwbdIlrsAYOg3l9lJBiZIeDjGiW0+1RFbSEFpVsQu5obXHEYxjcIooZNWd7sISkl7yd+dsAzjLjPOS6+HHjG5CzfBNQiWycPUKnPk3donIYzSLCCJFpwtmw/mTeda0ki60RH5MtnOZr9GyZ6Il7ZsJlxVJ5tI6h1MO2FX1CLkUEN7henL2S29nMNd+YwYUynnme/u8z/M01pnVQKG2oBShr1AVi7SBDkg4iCMkoAi5bTdvrI45HlBEUTuVOysnZ++rT8vB2v7k/N552BWP9KWRQ1teQ591UO2q2hYXm51FezqhSKUEnLKF4UQdAsxRPsl6NCUBHF198pPzJtTlliszdF7iKD3t59oJ7bZHr7+RBQfVLYhTOhEtJ+ynJ0dX0jJvSX4IROjXE2JBX7mMYZMV+RlPI8tP2JE2t1ov15WSxjAfYPtuOcQqOC7DC8/KbRcRBHiZczAVsP0ixUoT531bm8prhSIJISiBnzcR4wSw2fWMWJ3VEcEJEhPu0ZxN2a9qLQaau24qdIM70zpin8B47wDFBrzrvTl+vgDNIt6qJpw8whcnoeuyMLUG63uF1GQjQNQhw8wO67bzLU06YEtOwa/HKUCutyPMJapA7NzGnes/D5kbrob0BcT8PgOt4eAay4hNcyB7u05qo//rRdetyRln2gD51V7AuNd6Udls9dVkuQfg316zLH2SDo72yK8wMV88VJs0D9jy0MhLEwmai+a7BmQWNgoc5howuMBBjOB4hO1l5kxS8gFsydU1o8hZ3BaRwSezQBrbcZZj0p0hm/abJ/fBDAvwhI1iN0E3IcfTTzVKawo8Tj+j2Ypq6kAZWND5HtCn/yGwwuO/6/iVUmrBAIEVLxyo2AVw9fDKPY/0sbrojzBhnyA6PYpzGWWoUoLdOV8nHIMVztQ1aRGPoXdu1GxlOKEy2ErJrzJktUR3mqy1FtOvK3+ODgSR1lR6W6DezrZaD5wNCuL0f9jh9mm43GUBHrIT8Gm/2EvV6qJUQfUeFynDamz/X61mWbolwO5/L6VopD4tvmwUYWH7bQB+Tb3Xhw2R/9YVvOF7+wrfjPMNmWvTQWUE6+fkttwrya9YXM6QvrTEAEqFnEElo/UirMB3y0wWQT1QG/C3DkiLpYITlPA00FmHFDY/kdNzn0NlqBEdyaaes7pZh7wvdt+br+vVDNMuaEfSAi9s6oU42O3o/3MJTY56HBQ+jWEoe07zRMw5efP3W94L6xEyIooEwEsS++rmhfYoMPBPPTlQa3Q9qZ0Ed+4Kb3uOpNP3ZlN4Edl1gGteZ2PZZB7B381iUz+cH1t8wFQOQHlnk4/zqfdd2v4YXWJzyIc+k7VzYscDLxAT/ukoQPEavOsfd1y7Fgrhl9qMCUdJ81NRHuecyaIYU4zQlCfrfx52rToR+54xEAcATlTkUcyaDcuL+1LeuV9ymY7tu0yjh9yzluNBUxZfpoA5DneMuPNJOJ9oIDfa8e6vlYnyIbo4OrydYja4Vv9Y0g7Pgz8+h5GPS85v0xkjgZua3fmT7JhyAMdgj5ZIm0E3+rQjdlCe8mW1IHnxTn5eQitKXZj+cfwDyq/LdkTdCNh/UP980zAN++OwIGw8ILDfUDxZx/ja/M6d/WFsm24WgYyymtvzt9Bi9+vn0+PWTz/Sb7VarvajVBPN8E17CHMRKPpZ5XAcIi3GyVxMnH4/34I5e9Fp2CBvtmujrfui0V0Jgnt1eA4nbe/srIXKvPU8wb0Ei99rbKyBSJoTUday63eOTk4uliKQsx4RbefGWHjvvB+hMQ3Ov5tafLXotKbPtvf2dtzuLqrMxHZM6Mw4+nn48Ma8oLrUozBg2MYNQySEunHnBB4UQFDJoj4WOhxQzDOXLWEo6BCwfuTUmCcVNeEUIf44eRmqc/uu0c94JDIQBjSlOzZvDf9kWkD7NIEK/avt7bFICMQMbDZjR5pR58erbxit+zDGXyqPDFli3TdUW3YPj+rbgR70Dw1WgDPFYQediuy1xGMjOd19rf7e18N5bMjeyIjXS5zRqJ8n2E11U3jU6K+czV7u1xTzoUO4uOoxYk+Nrk/hKy+Bcv8XdM37PakujAhcYJtgED0pU1pUvY83M2brzL6uqf+/s8DABtzGz6t7Fr8jELLjxSZC3+LxMzK3lN8qEfIuEwqOLL8VkQoXFkCjvG1cnFC6cTTiBcuYJZnXl3xp/FfAHYJqScd/IgZ6wctlpTZO6PsPmKouOJuQbVOp75oPfLsj7Bc5TiBbgVf9vzWk8ntm7YhbGMxndj3aig/1WK2q/2W3Pja1X5piOJzWGZTc7JhLr0PRMjgg0zkYXJ+aUog5DlgrUbELLRfgYCuhC+i8zfWcHlA2JmAjKlKlVAciWO63soPM9oIBPqH1y5wJxA9TGE9IEPnOdKTCTvh5TohG+I4jHcSYAV8c0vrg3/QqhTsJafAL78B5Qb2rhi5UywpqHWBUM0wEVhExBq2z1Uz7cMqAMTW1Lab22td1q72612lsQ66Js2LTppk0jnKYtBY+0zVqOybTi/betnXiXHGxvt/UPSYz3DvZ3ME529pNksPh+calnPTgqNZpA/pwsowm7F53T86vo5LeTxTm2hYl1s2mnWYbdDa/5AfDJRkzh508TYtBsUNfAHywojyXbR5jXDmggQZnx3goR6aBywtgtJiqpB4UioQ39z4rmjO39nbeL3u3Gcui9dBPxyhg4YCRqK0dOxylltws/j9bo08Mig2P7yuzghArAm7Q0l5Fj9McW5COrLXJ8NYLLRkDQ+AsEjUWOyxbURb/qzkSUjTOz2rjyugcnYn9VD86qpfi7N998UibfWdfNJ3h5Ca04vrN2m09I88X04Vioz+YTjP3V/Tdqb7A5J+8voBfHN+ms+YQ4ftDGHVUc/3C9NB9j8sdpolnF4Y/WPfMrPP5922Z+RTB/r36ZXxHG99Aos4qFdYfMb9ghs3IB1q0xv11rzMoF+MF7Yj7N8/fVDPMpXl6C6/39dMF8SpIvxu1eqP3lU5z91X73SvtezsvoC3Cyn9vw8inW/kYO83fZ4jJkREjVk4TMc9YedYVN6cosHCplSrtJQ9PowlbVgFPsW6NJOhyp0GoxlSuevFkONyEe0G43W3tX7TeH23uHu2+iVmshpNQh4VFM1bQuYOEjpzfLj9icKUHwAmhbQDNnimqPrBeX0kNXQvjVPW9aiLy4lKfsZ9+U1cydL2DpFdmqaT3OCwDPdrIy+VyoEeqAk7KAYjCcgC3Vo5LXtURH1lw77X6CNSqbLQuvgqG9rjNh6a7cOUeY4UXgNDXdgNxYshhKNA8J74WYVMXbhLMhVVli9FiKFfyjrIP+G22knG0couabnWi/vft2p9VAGylWG4dody/aa+0dtN+i/1lQJdVZMPlFEtF0ZeczqXmmWa6tPFS2VPWOpPpvQ4FZlmIRwsyrEZmiGGt/tM+zsAzxyHn1qtjgjgpTSxgTpl33hnlcTzkXNuDQ8DGDxHX68YO6jsceeMLY6w0Ue/O0WE6bFweayBVl0DhsDEWhQ8Idt+XUkz6XirNmssBLil7ACZcKp3Wd/M0LGN5o5tkyV1g0x1cBfhs6ReUZwzar1oOcjvHUwyHeMn7PoIMQ0qzARFyg308vQs8QIftYb3vM3NOEpFNTrumcScXdj2UhH+y2dhcIcWsBCzLUFleN6vUSZnhKuzY/L4DPGhBfk361hFeq188Z6ZMF97Q26v7krBZrY2QApJEe393PuSqSWTzSm/G0c94JPlfJob21tzpiCNYK3nqXEcZlr0NFgGszN+d0nvI0/6Fnt+fK02GKvbkQH/hD9kRvrna0He1EC+TIpfibmvwAQfAiLP4xFreUDSOV1lV3uHEl8GBAY3Sm2UQXgise8xQihNp6thTI6JpduriteRnMW/mFPf7QT+jXD6dXJ6Zd38+XJyfn5sfOx3cnl+bHy5PjUg8/+NICArL1Uz08TyhiVXvDzRq20PEy8BfVt9kiepfOwfpjb0RfP/YA7+AblS5w7Hd3F3DzbcJxXfGJ2U7GfuJN6XKdy8uWij97mUhHOFtANdfdKPiy0CM4pewWarZ4CABS1fHpyY3q3llsXW+QpLLlv7TVarXa2zsLqHVtWUhtawEqdlhHu3I/4pNDq4VZoEufIszYoH0syf4uIizmiVa2uRn6nguP+eGIRdyksXMm87u+SxSYrCcPoEIuyfBzRsTU/q5RbAQTczhDnCW+14WFUdEKB14vb9JJT//uJn+l5hO7iP1MuS0adMMz0Q9BYn5HhIOthO49ObSX75WiVdTlyc+9d6fnncv/NJx7pV6BrvH5XdY5anV++fzuqtPpdODf5j//WHbVDRLb1zrmuRTbyrU9cvW0WmfrldUb34zrcFq9nC68DIxFY8DUqr4JS2KXx5MMO0JSNkxzr8J+3u8Pk4n8Ssu3+3sD5Hzy20Xn/LjX/f21RbrJFyWngaq80gjwj2BcO6XF95cmdgwTwt7Vo3/8cnZ1CnPB2G44aH/iR7zDggJydkrYUI3MsPZpG3jNN7Me8/jXT5fHZi+f/Nz7rP9VID3YeMG+8i5dQmI6LlVmo1ckGqKbjfbGTQVs0+a/No4Or4XC14IkPaUm133KrsdTPJlE5IEs1CyzuNfK5Qar6cemMEuwSIpbwIDxWZ3igYJmmTa7ZAnGRnQ2j2glPHX6fUHujKMO96QratXzla6JD/88+7gED7dkWgMLH+gdaUJHfG2qQM0KHwDmYfnN/9P7q187lyfXefGSU/vnV9dHmRCEKfukcX06xkNi6ktOoCus3tmfYFJ5fU+ZJlRv2CUEUq4DWolE3udIS3lVt+mEC3lgzF4BVct7vbSMvMqokNX1Melnw+Ei0E1eaCHpdUXhTWaQtR5K22hxJmSMGSOiJxWeCyH0MWseotWa2M4vWyfHl7bLoQP5zKBz9CBL0ylKiDK9kcc4pTHlmQwLoKAn55fLs7ItvwBv1n9ehq9z433oVaBjaOkXmq3Ftui2rbpBLAB/BprpVaVKbC8Qz6uxZm3jyiL5Fxwwf4ca0/BoqiXxCbiFC50y182/Ff3/7H1tUyM50uD3/RUKJuIa9mxjm/e+mNuggd7llu7maeiZfW6eXZCrZFtLuVQjqQDPp/sb9/ful1woU6pSvRjKBe6m32JiAttVqcxUKpVK5Yt/Fq8e123XfZpqEYuZSFUX7Xr7tdR8TAONn7I6HpXjfShmlMddwxd8FPKdujQMJX42coR/8eR22/uBJ7e79mMJ5owG3nOzVLN7/NOcPe1f2OcTP7iOnfgpldF/xcQH+WdImuvSALy5+NQdaquuUxjdGzbHX+53+gddL8Km4pzI6FheXFIZ9ZBjqzraHAN0p6FSGeWW3BpkFmS5ZmueIXwaEyVmjARUwdHfHBpndE7gmGqLL56emz1hU0h0AaBIRPO84AslBdKIqwxi261jBzEohZg7DjGHfSKcbX2NIK7Rr+9jiAQZxGw6nsEz4ppJGpHT89vdDCaLg0jYWOfr366xIOE/r8n66cnlW/Lx7VEGdLi3NdxAnPwH8/BMZ5q7u4Ws9qitcuXQzd09gHbFmi1yvp3crLzua978OuNwlj6aDZ4XtMxavkhzHPFadYLQNSkae1mF7rrVKaYJHxOusUio6hgBjoUm7JbJuRkCS5GW3i8Bd8MmTHIRklmqsIXmyJUvYiEefZgLjsq3dXh4xMhaEk/W8qhgqDbbM999u9VvjbSNJYXK0asStnOsEuspKlskA5bVT9ee2tIiWStN7PVP15iIo0lCZV6OzSLdpsA4EJ1GUQOCS/6H58+sPx1jHdRPH8+w1DqW2LDdpucihc7XuUadewICdX7zEzmPybUj7RpKL0HNEV1oEClZIGKlZQo2IMSh+XXfoYZJTgb6vhd6B4u67vX29tYmVhD5y+8/2+/x809aJO3myamelzBXrz7F2QVAphJBnBVRDO4Nch5mvKtRHTwmMdN3Qt6QmYi5FpLHE9RImTXr9uURM6rPioitAUiVP+kUrHsSiYkNVDCvGu061izGyse+KYmufaqn5c7pmYzMmBW/7LUMLFWuWaFDtIPdrxlGNcZCVzVTK3Ex0Bb83E6SEqqUp7yevTyuBe8UlN0qWwSpIrKNCoI85B49t44PDxlP01rWrrXFb+nLp8c7cJh9YiHC29vVjI1W90sG+99TtrI0BbCtYAC7oLIAISAMf7Ge3DpiszVpZqkk+JW98S+wN6IB5lcg90fpmT2GFs3pWJh3QVvI/OiP+a4e7j1ri2PDdgrjjVKdPdXxBkNi0YTLIGLN+ZiwWaJzfAB1fPLavl0qrxXyMVxqaYgAGjF9x7x2qdCY/07gEaatAYCnQSZZeLXaY9olOE8nUwZ62A0K+wYO3AHGJAnLdIdKR/hT6UqqYLt6sPBhcNWujYXwr+vWoHKR/0VZ7aMNbCcgZJrJGQTdJZIFXLFo7joHRFxpEvGbQkKlSsdjfp9BhGfWjcJ/vbmJj+ATPSEnGz1yKefudjJJpLjnM8y+5Qp6y/BZEs2JpjfFsAtrHps5j+iIRQpvOYxNCJvoHYsioP7y7FjlOi4QvfSmpmDTk1LujeyoYMpWF/p4AdAXq27YTstnErzZvn5daywjvgs25pYscCK6ymWTDeI6TWD0Jzoyf09phLaYfQaOYPaw50VjRpFjA2ZasPuAJWjRTIXty4YtjErLyuqFHvhMKDCUFzo4lDGA7A2OY6FihN9t49EsRBWOL8agg5EDGsciN0YLa7DjcSB3hZQJGrFI3NWrhHr9UdQxPm/Rb0SV7s3mFgIuItQiVOnMYMj8NBZK4ewLtCqbq5NpOSfAKh0NjQANCoqqU1jwOXq4sdhTj6vPlMNYQ6+U2ZO0pDzKnQA1C5+qFiltRty1SK6AqM+wWbDx2IbZGDMYxcbyYp1dnh1vdNBJlUW/5rOQH9xA6XZcKxBQn75G8JZMjVukPG7u88qfNHMGUvF17ymwnyzaTvKZaLaxwPftBMxVnl6RYH2y4J9+OvlRCu4llIL7UQXuAXZ8tQXgftR+e6bab99i2bfvtOLbj2JvdZz45tPWv/USb990dbdvvLDbj5puj/Pkey3n9nVXcvtRxO3LFXH7Ub/ty9Vv+85Kt30jVdt+FGx7bll4MWflJ9Zq+x7KtH2bFdq+r+JsX29dNheI36MRp6ty/68Z8xcGWGcq07BuaNviXzGYO0j4gnBtLVMg1WV/+PkBEH5HsX9acIPGJi34tW0MX9Zqx/xmhHve+6/41ymE+grtg5Ts95RDr7a5SOHOK1WMUPLu9PLjCTm8vPxvR3+HNlheCZyMBI/cXiX74NVvZO0f3cMJi/UaaZ4FmU3NypoTwbzwsDIh+REV7h0hBwcq60BiDhmxKb3lQvrcy65bZiJkEbOmZYV5PvPrOe4DrWF+hiMPq4y+6O/sDJdm7wptjLVymYKvisVwq1xh8mH4lsfh0lxOIqqNslqpjskG+bz89jO1fvEztQ5/vaikSh3+kbq8J/iTHB7bWitH5/jHGY9Tmz41o8GHC/zzPUYawwcf5IfxmAeMbO3u4HMXlNo3XO+++FGJcGLgw62TiIy/9UrODthKya26vAbIhyzU2FhORnzeOHF5+posCNziPSfDsUBBdRbcuZxqTYOb3oxryaB3vQOwCTpyc+npWWnW5NTe2xvTbckFm82Az8ilFiw6CnHFvMP+qPjhUoiosHpj0nAZ1c6cobA6YWaQppOhjSUUfB5zAIaqm4Qe+c8HCS5YaQClUwg3IuvsvrdYTvEVtXl52O/3h5tko8ox+KWOMavcyP0kcierjZnk86QiIE9nUpVHxZz9Eps+s6ZNZfSSmOWDrzKuKZQiX1kwBT/451mabrQnr04HaDl2urfU5uWgv3NQI33w/QIOPe8afZbcsAc074Pm/NLzsMC6Wtk8HInZjMYhXIZcIBXxBJtFJ5K56/jqHH0hBdGYn4+cX1bGz+bvLmCsSkefS1dAYDoqDH/Up+pfH9bT2NvvDxapjl6/3/jmegFzX6CaWaxJlpygh49qK56gc3HH5MWURc2t1voZ+jJKpjGrffYusuxXzOrl3n94OrLJiND/ormG5XaG13UTKdLkNUGrutSG3Qh95pXVglDzljmHxVgvFPIAla1DochYBKkiAr2vDj4hiatLy7Vi0Rj2JA4l1eDeIZoTeit4qAiPuyFLIN2QRnPFVR7qjijc93b6Bxaqf0k35pEL0LaV9w1Rf6phipa2zpS/oh2HAp5MV+a9v8B8UXtx4Ept4JAojmEqs6+xJJfP6oq6PLu4Ojk6/tvJ1ceLw6tfTy//dnV4cnE1GO5fHb05usKr9KYLNYg4i3WvGm//7CnWJ++6rmSl0jQOuzQScfHKVUDiaB5EgrhVYqFSlYLwzFINf3Qhh1ZhbVtyXSXpKphCsRoF10J5oEkGFFJyMKkV7xCohsyVakuV09Ner/HN2CJMVsTiQ6ghKcYFXnuD24piM3rDSJqUL7wzZgCKD81FqznIa++4WaDahvvkoT1YkQUiHv0wSNQrgFc1GeO3NZyUtQ5xfzX3RFo8p1RNe7NwZ0UTc1TQWPHEmOIcYuPcsn93vENCPmF4lXl88jGbP3vBmHFPjJssmVKgFWZsCSgpYmi1/i8/ay8LvqoLtMKyq1lsFcCozET/7d7u0d7b4dHOzpu3x3vH+yf7b/bfbr95++Zt/+jgpHEjA39O1JQOvtikXPztcPDVz8rBydbB1vHB1mBrf39//3i4vz/c3T0aHh8MdoaD7ePB8eDo6OTNsHHcVWl28q3mi8zPcGe3foYyHt7md+dPn6EcKs7U86yb3f29t7u7u4f9ne2Tt4O9w/7+yfDtcLA7PDl8s3305qh/PNzdORkc7+3v7bw52dt+83braG8wPDo8GB4fvm0c4m1pxCSEFU1aTXyVlwHoyrYDBu4TmHa1G1GhgqI3SxWXR56S9FEITY4OIXXpNB5LitWSUsnIJaOzDjk++jnLlj0++nmJXA47+L/p1qq2b1QCWGQoL/CP4yooeB4aG3uKCeNzkjBpRM2I2MXF2WZudxMypXGopvSmWv4p3GY7o8F+uDva2Qn2BsO94f7B1nA4CA52R3TYvFeOZcdzZHkcU802IRPCs5GhQhsO0iTpw1+ZNfkRr4b94aDbN/9dQl7E635/ud4NHr1PzvpYluByEshjxA4O9vrPQSwUiZKrjMc8NIZ3QKPIKMuYXLw/tTpVsyhSNpgHMgkxQ2YqlAatogV+4+2VTj9A+LjWbIauT7w/NIcpokWP/IqV/wqx5reUR3RkVEIWaJ7BnTDD+YTjOfg6ZEbBYecrW1SyPlls6SqSjueoK7+kfq5o5FwTZ2x5VCPP5vgbqOJjEaSzrKD8M2lilSbY7OcKz9KrCjLJjlV2mHrboXCIx2+mLIpE3YFlwQl+uLN79dejd+YEv7W/bc4z+YMnR8cPPZrNy1qr88+PugBfri6APwXfe1GAWl58ZRUBamh4CekNX1k5gBouvpj8hla1AGoI+tK5DSsvBPAIzS8g1+GzVAGoYcM3mhzhU/rN5f+Xift2kv99yr61zP8FtH2/af8LGPJ95fwvYMLXkPDvo/4j2/8zZvsXGP8j1f/zpfoXGP+N5/nX0/p1JfnX0fASjsBfT4Z/HQdfzPG3VXp/HUVf+vz7rLn9jxH4Ag67yyb215H0HRxcv8qU/lWeZxYEMOYnHNdmdsJvWWyvSTp4oUmTJOIBHUXVm2jFgmS4sysbn1yY0nQUgWJvQOlIiIjRuI6gN/gTGUe0QJYt/355dkFiNhGa433VHVVeG05jeGYmlZY0VtCo3cbJxoTFYA+Zz2kcs6jxcovZvb5yIbOfdSqzON0Rg68Abxb2yLmtq49nLMKLbTxOD98f5u2T1/1OQZzGFMKWqTJW6ozFWm3qSHWzxmqGhi7CXfhD736qZ9FPNErirsOxy0O1UQqRsh1Z8kNDJO6YhBYjte2vNge9xkInmUpnKxU4rkrB1SBwdlxoC5NRa8TrHg2cspQ2FjO8T3+ZEb8Wt2UjfqskfamI30WYrIjFq4z49eei1Ry8zIhfi+c3E/Hrpulrjvj15+TbiPj9krPy3BG/pdn5RiJ+G85QDvUrjPi1NK404vdiqdjeSkxvvkcgrpWj3GeJ7bWD/5turSyIrD64Fwd+tuDerYPt7e0BHe3u7O1ss+GwvzcasMFoe2dvtLW7PWhewAn58VxXuErTWVKJdbWBnS8huNej91ludZch+LMH91piVxtoetE4pLSkkGsUQCXoaGUK4Ecc5JeLg/Sn4HuPg6zlxVcWB1lDw0u4BPrK4iBruPhiLoJaxUHWEPSl74FWHgf5CM0v4Gros8RB1rDhG71O8in95uIgy8R9O3GQPmXfWhzkAtq+3zjIBQz5vuIgFzDha4iD9FH/EQf5GeMgC4z/EQf5+eIgC4z/xuMg62n9uuIg62h4CUfgrycOso6DL+b42yoOso6iL33+fdY4yMcIfAGH3WXjIOtI+g4Orl9lHGTxmv65sX2PphlJqMyuNtx1c0KlsvFa8L2QfMKN8GF0Ws1FTm/Y2Dnu5mLF4YHvDfcj/gcLMYQOrrCz6EDYRHwyHyPRFR5dSGAmdgmNXW3kOpqqFC2gp0DNK2uy89x0dN0/EhqDHe0aRgUCq/sbNaElDVjvTxbzQ3xYMnthBff7IjHHcwjVQyAUI0EpxO91iEqDKYQCQMsIpjTGhkJYgYVrVhoPGKxcSkKq6cgw+/eUyXkP5SKX/vH4gO4f7A9Ge0EQ7lC/tisg+xlZV+YOfMayqwprJicRI+wWWBXxG+ZzxsajjZg5ORItJsxwBE9I7ubOQqbm9Cwz/k1pHEZ40soG4bFmsmvjJlnoWKrK7NsejQ+G462dvb3R1nZId+lWwA6GB2Gf9dn23tbun2ok1JaL9djsaPjMzHbDNhZX/x2OJZSmfDI1TASUzXt3Qt6QGaMqlfZACTKcyaSV32wqfCl2e0SJyf3+uL+7R2l/RA/6w9FeA6amEvWYrUv86eMZfFxcl/jTxzNXcRi2wdDYrlAECM+EwqBit0kqtTmnf/p4pvDW0j7piDJ8GUlGb3g8IaG4i404CaKCKZuxDsHaTh2SUD217wviomyfUmoYAa9If786BuhOfFIZ5bporViWai0TGUJOY6LEjEHAtFFahs8zOsdK2jas/fTccGHTsNbwO+SSBTqadzJ3BC2ShsfsnoENPg4Du4Nh49mdM7kD78ZEmDHMT9e2pBZyzscQCTKI2atrg2fENZM0Iqfnt7sZTBYHkbD+xuvfrmHurv95TdZPTy7fko9vjzKgw72t4Qbi5D+Yu06c+wWChUeGP4mGFWPXoUM3g4hovyrvgzUFwbKcBhf2viqJgL4ABq2ccRhza7S0G7zGarFLPiMNZAlCfkMXjRcxGuLq0d5UXVahc0Ug6kAxTbjRWjbyumPkMhbabBdyDuXap7BrFt8vAXfDJkxyEZJZqjQAGZkdweDHwuKOkqcw4MMjRtaSeOJVzTKvr/XMd95Y74W2Qct3WDPO0gVmkMEz3+0cpoqsu1OuprI3+WOjA5RnMIFt1Jj0sR8/mAnW+trkj7UO4oMQ1jaq8pRYZ5YTorGkk1kzn3UrGToXUlsj3aoVAjdauAh+uvaUjBbJWmm+rn+6xisqXbCbHdKWvIyWNGpi3bqYFPvlZ+4JczrGXhtmd4GOpHxmtCKNYYucixQKu+c6b+7NtdLCj/LiMblOZdQz8K4haQpiT0Fn4rrlCjyZMUY7sRBPgWCMOkUE5lYGUolUBvWZLy4/J9dGr7e3tzYVozKY/uX3n+33+PknLZLC3Djl8OLn59WneCZCY0qFuUYDsVVEMRYX+Jbxq2bl85jE2IKRzETMtTDnHFQoYgSGUJjtliNmNJcVC5hJyajyJ5pCDhmJxER1sv0Mmh1oFpN/G92UnTNsLDEYIIUF5cvFjFmRy17LwFJl9OwdVRminYKBFAtdVSytRMRAW/BzQXoSqpSne5493ciCz1tHwAbWK+Ggp8tLb2kcPS2N4ek/y4i10rBCLnmhiH6Q1/ZkXYuHyHVpBY/t7eqFw/b2VgEpOGqu0uyAAayw4q8jhtYH/mLT9upoyOTd8LQkVJX95S+wv6Bt4ntg/FF6RmfTogEZC/MurESZ35xhNIWHe89anxKv6GC8UaqzpzreYEgsWjcZREgpoDFhs0Tn+ADq+OS1fTugsdEi2bUxh5SFWHOqGRkxfcdYMQNT3wk02kubKCZlMsnCq9WeNy6902U+KKhad4Iy9CYJyxtOpyP8yZvGirXmwcKH4YC3NhbCDzxaMxOy5n9R1pRo9Vm+hkwzOeMxC83+GXDFIpvvQSH3z7or8gtrlY7H/D6DCM9AmuvrzU18BJ/oCTnZ6JFLObcFh2mSSHHPZxjCwZU5iyg+S6I50XDirBqEZiojOmKRMtonAnMJ9p07FkVA/eXZscoVTSB66c1aVYWX47IyFxscbFclBxcAfbFahI2lbFxjoMD161rzEPFdsEUVKXMCtUohzwYBXW6NYdzu5+T3lEZobNhnYmxGDwop1wM0ihx16Lxn9wFLcMueCnOKMa+lcWgt68oq7sFRnTrnhneuKGMAbkWbzo7aCX4P0GmZ+YG0axoHIwc0jkVubBVWTMfjQH4CLxM0YhHmr1QXcP1qL2oEn7forqBK92ZzCwFFHtc8VXqtV3YPWCiFsxnQquy1T6aTnFyqdDTsqXQ0KKiVTmF55uihdremvAuhz2GsoTPEbAxaUh7lh9SaZUpV41tQLZIrIOMzKHM2HrMAUhCMZYeCYqlfZ5dnxxsd9IbcxOIuNizM+Z6fP0Apdpz3EdSbv7S9RVJzUC+PmztXvGZrgZiBHHzdOh/0/SJ1n89EM8UP3xfkJlVMrjDC4JMFX2Nw+xigx9S6eN3nxT5ekEJw/VtPr7McCY/RKDYKgo5EiooTHsWzGnSsY7c0OwpbryKc8jIpsc3tjHxM6S0DTwyDiA8hPZdOrCVnypqNMAioFSHhZBjDazx0msK5o2lMKOTk29Mj7gCeopzZiXtSt7opjSdM9VarDfzm1+jtFXKesxxM4RmDKDgxXmTL0ZicHR+eG9YeojAfZ6B8NdC8WrqlHXKQVijYxSSn5iWTLHpmU33m6J7n70dq6HylcgOgYyyGrBlG5fx4GI2Y1OSEx0ozHi/LEpD1LyazMPqXFlpkwcp6AFevEbPCTEC97c+p5kqz2WYSUW0U6tKyjVSscGPxZxEHWxZFL3P/2WXsU9ZH1tZwgAYzEjuVFjapMVzto7aMCY1FPJ/xPzzfL7I/+/hJsXEamUV4bV7q8fDayCB+MAReZ0ZnIOIxzjONihtjHNbY8ali4fLiWhbUIE/zeE4hdbcKqib796I76O50h4PusD/cHm4fDIZ7+3vd4e7BcHt4sN3f7g63dgYHO7t7+7vdQX+JiteWxKoUtyXy+dXzxVRIeyYUkkRi4l3s1vGK9lhL1SxFtLIs56xEEYZzmJEIRdNN83ydWxutRNKr39Zu+IjG9IqGMx6vdciaZHBIjCdXBuAShX++OWspu0J2B4Xv0iDMqX+hJmGO4A+jsIYp37FZWGbC12oYlul4kaZhjuQP4/ApxmHOx2/YPMyJ/L4NxJwP34WJ+CUsCD/u6SUaB82Dbp7BcnDYfatGQZG+F7nfF1H8/Fu5G//HLr1wl3Ys+lo34Kzg+cvaW5truiduvFmUzvewp2oqJ0x/l64JS/oL9UtY7F6q3fEFnBKWI9+q8bEsB16kebIsES/SF2Ex/GHiPMURYZn4tRpBzSl8YWbSZ3ZBWCZ8w7aSHyx1RScuk8cLmSL5tw0CpxCGC5+KIaUfSv7OGMbGUzKS4s7Lrs5W9+WUzW02ipqKO2J2opjcsZFLDYbcFQOKx5M80N7WBEgzVF2Q+9NjnUJmhv1catyOVp5jfj4VMXvk7LIShHKWVrUOHVPJC0gtkZ/15Uy52JOWq4K0lCl8J/7gUUQ3d3p9so5z8D/I0fknOx/kwwUZDK8GGML5jgbmi39skMMkidivbPR3rjd3+zu9QW+wk+G5/ve/Xb476+A7f2XBjdhwNUg2B8Nen7wTIx6xzcHOyWB73zJ5c7e/bTtGZaxWvTGd8WhVCTQfLgjCJ+su8lOycEp1h4RsxGncIWPJ2EiFHXLH41DcqY0KA/HJCt7NMixf5tH7A1beiCfWPHTHgdhPTM46gEio4IVGcEW6UGDeiX/TW1bm0Q2TMVvVoa1CA46WoY2FQ+jdonWx3dvu9buDwbALdUJ5UMb+BR7nnjzDrsyAN7+LpvQfZX64I8Tnmk83nl27AYu1UB2SjtJYpw+tVyrveGW9GsRWdkxQGPx+bcexlRfgtEA1mwjJ/8AnRJlIHmuRTa5Rx3bLGklBQ6gWyGRgDH/QY5wp7wzxIXtcMTIWUSTuDGTbZjDPlYZMuPWsFNHGaxLxOL3vkBkNgKMxv8+TNSxfq2UjPlyQuUhfvZJmh6eQlwEpADbtyCYDR1zpjk3z9/I8sLRABjIRSWrOUGGPnEeMKkYipkmqICOCjOaGUbEZgcZYHRSHOjm66BiuJlIkQjHCvfxAGobQQrIa0w9kNrWUheqttvpVRc6bKqxBvzcob6CrRdUrK/aIGWU2fc8Iv43shmnN71/ODt83MbzNc87kpjLP4bRHyDnZ7w97g9+JppN1tYHJYwkNbpjOCh4pzP2givB4AqVMoNkG/gnwqVIi4LZ4nwERu+RuOLvD4d5QnS1MmlUUtoPhlugaTWYr5T3muPcM9XVUSBYIGRpwPJ5EllpNJ5BmBtohhXIQ0N3STd4UCyAYRH/v8rj7O2FxQBOVIpaqY10PdZiRQt66nic88PLdbLYFlHihWYK+YrESkqyz3qRH/jdjNx3yK5dMTam82YDsc37LojnJjmfgaJJ0DAWXS5zgcczkwllFEAQfssTlE6zIussjsVDtb0X6NxYQ+TB5SJ+FuyyVD5CH2u5PTp1H80z/8jjTUIb2uEZWjKBjsyPm2KHpZAK6wIL8MHLdyDzhdtLb86Xc7gI18ucetyAz2fZdS1CrJVsVtg6Zc0iFXAWSgQOsvMIsTMDAg7doXsZcsjsaRapDJAi/6qAHhIZkRCMaB0yqZzj/rswJC4SeHuPBwohKXsY6m5WqHm+6F63wePwhsUU9gQJwPS1Dg0i14uEjBdKz3SCNYibpiGcFZ922UPlh8f5gtocCoAaZbbRmaFJJc3Mdp3PH1JPSytDgW2lJCOhEJcbOgDD6XwZTrhm28QICdYVfFMKQVJ7vewmGoy264qztbqYP1sf+LckxnILNWBefLk42zB/YXyGCBzOg+QuuGKOQ5K1d5xuFTNW82fXvKY3mapJSGfbwbygS/vsdG01ZlGyOxRVUBoo2jX0YsXDCDOjNAoFXztZmqjfVs9/+AwBliBWZkT/7z43aujCuxpXLRayala9+W3N0LXGTG0Rmc3FJ5CuSEugZURgoq7Na4IIKhMwt0cLk5L4ev5wN9BCBluTBrVKb1Vq5v1w0LuztYfzCjtkVXnpf1DMSlpzd2VS20dMI9kx/2Lq3FyyK4Jb1ZlxLhi3gjUbbHNPfQbijn4JbdgUJt1cecuoqkMwcq347gjrz2bC+puUMd+yT+0Qooy+OfjnxKfxnZVZPY3OG+nBBsEkNGfYGw95uxy/nUmSHPQt+PD9aous3g5YNq14WTnd6t1JgH+HlKVcPTE11SdRNUc2aOGnKgpXZKYZyR7FVCOunxxuuuIDtw1EoylG3dRLM8e6RUz8tm6TFiz47gAXqbqWrfC3vGU1F/25K9RVXV2YJ8HDDynpZxnPHQFnWT4//WTNHXWx81O/3Gze/gcqebHVlyw+JZFhWbbGCKVjZVttgqdUZ13yCh6SMF24yMukPS/NSZkz9jAQT3h3x2HwLXuFgwv9i/vg54+PuYLAEG43gXa1U+O1ZU0iiAhrXi2ptK6xBf7DfW0YoDPyYyd4ti0OxqoLvl7ZYzKJtHVAgiEKFrEsW01HUvLtRICTrjfK+OA8RM44Erd1GX10YMFgxQtJ4Ym9R+72+sb8H/V7f1n0xf5IRc7cQM6E0UeyWSb+24BtjWCoLUZgzqrHTlGJKzeDaFrR2EgmuHVNmTEseKLJOtabBDbmFEJ/c74ll/e65nndIIvktj9iE2arHNq5DM4kloTc6hM8SGugcqh+lYWBkcM1rEwlgDSgbbwU42U6wUIh6gRFQY3Q5Ax1EtxuKIDUkb1Ts053eznJTzOJbLkVsoDW6/fxMc33io/XYpNN4TrKilSAldoY6pM0Mwd0+l8zAVy9gijSbJUK+pNm5tBg9NjFwhTijOkVGG5aG3Cuk1Sns126ugudbFw05vFqPOhzf37uGKgX/R35gXn//y/FGvtlD1TENHa0zHsE0gHzS+IbHE3Bkr52Ju7UOWXvHQp7O1lCa1/7GJ9M1mAJzOCO3QzOpmfrMIIIkqLKbEiII87E0DJXD2ur1bfWqOXgaQzbmcbEsr4GQP1yYI0+K4AmuiLiLWYjWC43pBD1Rb08/Xlz2PsgJ9tAh6/CFUZ7k00UXm/7HIu4mUoy5d9Tyutd0yN1UGGXAlaulrQWZsigBvQ9+d8UCEE5j2YKeMNZXImKvH5xmdKYIDaRQaDjfCRmFC0Q0vg17MVe6NxG34KnoWlUE4lpVBniF0kxU7ZSs0LrIZr3WwoC6T4Z7oCjcJkihFRz0X48yniWSC8m1nQgi2YRKiDHwVEA7DlaMeDNMkA39iFfyfqd/4DsjoXHOUakj/IP3VVwZKyDCzQFvavAkYhaWc0+axXJfatuvCq05fb8lx24f0ZxEYjKxXSXI5dkFMcoU73tCPuGwE7qGfXkXvowjLEi1sfHIiMdUcmPHXGy+O313UhwttlHvIxHCM7CB0miuoJwyFGp3WArw+99ka/ZXV83d74GGgbEKO1yYtztQwTu7DYaIwGvzAzRHuu4BGAtxStWUKSdvxycfuyw2u0axC79RM1nMum07YN68hu4vUBy/cAkzYvllc3Y7iLdbiIh5uaemdLize72RkXdyayeV6jwQ1++nW3E2uxum/PpNdYqoOFZgiybkh1+n0rqjzWxbBxa51pHqee2krm37CAsRfg4izmJtGfr0uxIawQI22w1kNKwqXjTryWX75nnj2jqY6xeH7zd6GMlnxlHklsq52RGC0jIFs8G1CkUDwpsrcPmMoNenWZ4QxYkzmjfRMNJ//P6C+BQTsm5AuTLWyprrhUQRVu0M+urPXtXvxtaHbeX9RTpRZo0o2/Vwr2nVv3yL/oz+L9GdUpVJa96e0uL9EjpSLjd72JAyazhpTKsO+fDp51JbemhB+cBMZ2ul7Yy/mE6U74xQGK3wC2d3SxLxpZtPtlu4p3HwBDpfQA/K5cguSfaSpH+jvSpjoa+gDU0DcsJ8vy2eF/iMEejww4NpxSjEVgCRiCfMdvAOoaL1LY14WONzHfa7/b3uYJf0t14Pdl5vHfz3fv9183wfQxDeU62SIvA9NKFmcNDt7wM1g9fb/dfDneWo8drJr7o3+GHWQN8FDOEFv6703C9TuUT3bY+eIJW3q1pEcAFu4CMtNpyFRZF5ILA/eQ31vZbn3smMYDd5xxbnvKjQb86oyc6w8RWBxwR2n4i4WdMpr69JgdYTCyLveMEklB4vThoGNzQjaHdnZ2svO56G7L4UaS6CK4wvK0egNydc8T+aTP4iosFFwf/ILkC8uVQJDcwBjYy4rlrnw/72fnM3i+Q0Wm3rXpskiUO5O1PYcjKxrd/dwGUCCkhpFge+P3tsb7KhhDvMeDKlMXbd7RCuvdhwPMVq62kQcEiKjGEB1x5JgiHjGei8q1+FsTs7b9+8OTjaOz5587Z/sN8/OB4Mj44Om/fld+6MlSu602LKdKGJu0PC1wi/MgidnM0YXAX5RehxS3buF/JXQc5oPCFHcp5oQSI+klTOe+SCsewmdcL1NB1BfNNERDSebE7E5igSo82JGPQG25tKBpsBANg0Z3r4X28ifjrb2trrnm3tVHsSGbN8Z7e7hBp2Dbi/yHFTZefNRT3Tn97yPqPvSxwn258mHd4v4ThZVj3OUWMWz8Lz5MXlz7kN2iFnPxf6+3vnTfTlw+ny2Wb7xRwlC0QvS8WXPksuWpSFiXsKUS/g4FiisTEZ3+gh0DXGX6ml42UToQccTI+KmG09hHTXjPyajBhcbdM4mAqJH7uBi3i09zlv8JkCCv8TYB+5zkt2TzKvZ/cT7moBbkKjyDa3BPezQbXWYw4pUVOhtKeokU804lnzyoTqqXvYe7AGQfPvmCWSBXBr0YWbg/xFuKaBT7yYHUVjl55VwM/Q19N8xv5w+feL0cMo+NLDMz7BuEx7dVCAjhwpgBWwWOxX+OGqTm4WkJ7ND4TdQCjAJJUwKThYHX0NWG9myH/uQbIAaNs5fRCyYa4x95nq8Vhpz4n6KI/ALYHvEvcu4aFbFkEk0jBfAUfmo4sjkGTGNA2ppvWL4p39FYNBgsKrEHCYn0doGF7BA1cOpHkyYEphsJm/RgqUw0s9PqMTr+7torspv97JjHfpKAgHw61azZKLzqmBTU6Ps0BHJMTxCpXNT+TQTCE8I6LQl2CHqSGsh+g6JjyK7iLpqAXzoIR4ozvMrxrw62EEMh5kkJbGoaC1nohF09Xi4TGjwZTH7MpL5W6LhgXlZ4U3xcIPD7vylGRbVBbBa4pPIgUo2CcLiAW0vHxINslN1bajF4CUR7b6LRTBDawgq+CO3ecabYC/gQFlNvooYtD1G7Qb/maUgZoKqa9wi8kNI2dX4HjdTLkt2P8ztJrQn1/KF4EV9CRugFAWLPuxjoEeE+tfqZ3CBUMZ1bn8aKDMvcW85KilN5sN2n442xuW/EQuPxx/eE3+Ju6MBTWjCZZR+EsFl4ItQx62Z8jijYlkmxOi0HMybUyMPy0SGyvnf3PPVECfxmPhS7fd9aAPqtNxnkCb72vF2e6LJ0cXfqK2a9apeixQvfkscvsnZg5SiU7mWMTd/M1SAWKxqENno5WxeCoLxfUciJEQEaNxw+kY57yCHKZcTKrjCtUbpTyqDlmVgMxsWRvsHw/6B2vN0PlwQWAEP7SoHpFAhKx23TyEi9KS6WDaHBk3ClYJjeeZxN6kIyZjpiFqwkro3/3vauDmv2dmaNGmzIESXz4f1s/5S4/q6ALSbaWxPBeJCOsV2FJqweNNItAHV512M1Rasxu0HelchOTT6XH9QDypjFP4qvkQp+fVEcCDkdDg+diWQ6wOJsLK9vTEwVwtrAWDlc6MTx/QAaxL0Dcj/r//83+VLX5VRcnuNn9+8r7m/Xw1o0nC44l9du3PDZWKR5Pdh2c0qaIMFU3RJfni8PZwq0desQjyil4e6hlm9YhLlkQ8oKpYKpU8WXpzuAsWTciSSMxnJQ/K0wfO4S4YGHyr4zR6dpI9wAuGfsT+bTtwBtZe5IR8DAmqGpstuw7zeclRmcaaz9iG29rtLprv6+fZFzUY2B/zHT1zpNTtwDls8kzbL7tvenSwY/fywPgHjg/lYcRdzGRlIB/Bygw5zsCrRYMuf6NMFqlLBH9MMMhD7vda3BpVZS5iUxLSJ+NTV6ShPGahakJx1NqfYiFnpXCUWvIb1lp2/3IfJFTD/5NbKf8WkbjhtEtTLUKuIOstXzb/C38lx/aXOfGfI54v8FFPbA0o3262eGQgF91R2Od66KouJrk9thYbOe3d7Y6NYBHjDDWvYlw9No09V40QOaHB1NZPntJCdQIbzRfQmIwYYVxP87kISZhiKRRNpU4TJxMIiEOB9xkWRsguJCD5I6GSzpg2JEubLAlzzTQcybH1PXxhPnZs9j2gBilWNDIgtMKQptNzfMIqLMLDDuTFQPZkASXItdIKOFPPXJs2kkgRpkHTQ3gjFkN0XbbX2AHMMTGj+iGEViB8BYReqayk4rqH08YjSHnZ+s+GE0LNgikylnmSpcwmDKUueVyPYSoXZLS1x+vTxzMyFXcYJoaI2FUBOD40hUEqWdP1WnTHLMDn1ymDhZjz5I6qbJFZpxZN9dTsV66YkSSx0JlH4o7HkZjk6nftV/hixKheq9exb21ynjOEfsWip5j2Rc7EpFd2jmVGB1yQlmqEG8V8J7lmBSY8MAGS3pF/vDsz1rFkisW6UKQJ75zFCKTF+qwthqX4VKxVxRXWGswvrw2sUp1RRVSauGqGHs254nS0k8PzU7L+jgdSKDHWGXN+4UpTUDwxu2Nyo+fXy8IqsBkwWx0G9ikrJpjWa8tqYQkK+FkxDThd23eu7mcR8vE6A0dVRfEKLMeESf9QOPGWhyl1N/aRmPhZ6lP2KL85XDiP0wjdqFKko4ipqRDaj/hLUpkIhSmcDHMObZazdZz6R/RcDvP1NUuo9FyXNsnaB2QQ1YKEnE5ioWAzGEVsVr72zqSe1BqlC6TvMIqyYpWu0pvFobII/JxuMoW8f0/s6tyzNOGeAWWLJ4Qlw/rB48xlNh+RlURI38trWNLQpksGQoY4C4lQihuxz4teFmCu3fEYYEZispY5yavkooTQEDdz/62upHf4pl9y2PybCclIwiSY+EaKXEbwIgcuDTS/5Xp+1cibl7OwbNk+wMNDgrF00bxcmgn0LNX5Z5u3nEo4JjrcgK0FkMzLhzVSAfHWEDMIGcqwkXiDwCNUarfCVPkEkY1UdzjGhPyrhmfjtlIWe/VzsiIAQKDLeyhKGmQ8Q/hvRXVmHDIicof57R1kCoxiFj8exlGZXxdDhq4f4MIHGxDqN9J6WDBa+BBAlWGrK2dkBhDUivwwGzKcOjp5bRUhScgiprG0rdfZ5TFKeDPxbkHF0mKPXXGyfiWPYV6Sx2efAcdzEJlnYDx8f2VDfoq4LeuKbKWGMlWe1xQ1yJTNhlmqU5g0dh9EqeK3WOy9AAr6YgEp13CimosUdExAE43nNlx+sI2K2B0AFFafKIDSomjQdFzzHTzGQQmU65x11zCOYWhIruGpwXWniBt8O7y2xZwEEXGHjFhAU+VvZd4IUJQ5RpiFRU0IozLiULrLEiDGmem31Aw/6J8qz5NNDIKbXHY/pamCNPzIRqF6qGcbgC1qXQDk+IqbRY+8mZMpvbX2pmJ5xV60KKz4ajZLIptlNi/AszaTq58dUjUdCSpDZSvEwP12N2JUwgHq32KkmjrYDgsHinMa3NAJe7+Mn8tBesNjKuctXtMRxI18UkyexkmqL3mb0YXQ7/KUg+VevMyjn5Z4MeVR+EvhDN/85SMaRZeyePfX8E2ocnEaj8XyrxqbO15+io7880aLt6VMYb0dQjWQC+1Xq2gMRTIY/pMOWsnHcaXI7jLv6rzn6jKvme201VrKXz1j8aS0BzQH0JJT5lUr2O/ov0vbxvIgeNwGhOS3LXln3pRPfLUt280vv9DlZeUk1nJ+ZKye5V81m0wrDQZvvq+JQmj4+r2WtJUiekt5lMp20+u923KS3vKItdXbb3lMI6PBUrX0u3+VNNYsPAy8679l3i7aMc3eOg0jdlo4ibcCATq7nXiezhImlYhh8DN2y5ZfHKeuLmXL15NDrFHU4s1zIZcn+e9s3lI0z6jSxiD5qxDNLz79ly+mqQ7FXdwOwOwp9t+ZmIj4r+kSN7aFN09bvmevmNuj3Ep1wr7YVom8o/d8ls7OnbMsYOdMBqzF4noHPb1b0Y6vXrSYrnc8fi70EdLlVAqto6eAaT8ZrZj3nt1ZuWshtvnLbce+CKZsxlqttffs7nIqGQ3bId7KonwvZmbbfAv9geNg+QPIez8ds/lrH6LwCZz6EIWtqLV97VqI4gd7mWYMlFaicU5b7DneOn6ipXAu2S0XqXrqWc3BafmyLVl+xtXyqqT9qn7Kkrbvtps++24LCT8vREQs8V5K29mC5yk9FxEP5i34+x/j1kb7f6SshWPqI6OqxWCgcWhbVC/ASfEmEsHNZTW6q8H72Fi9lRTad1ujjoV5l3/PmqzoHWpljTkQcKA9auMFdBDaTrorl9P+zZaHSvM+W341XWgqddtjEbz8No2DVrsEvP1OhGnUglvm3VbbQjuvY9tJ0SJphyWW1ziGK8h2ixghtD1S2dc/qZanCu/9NkeLy4sWOF/C7eUTeIYATkt5n0u928YLhq+2PzZ777fmmrUe/vrp9PhpEFpjgOVynzBvrWU1f72VqDIJpxq77bWhX9yw+CRit7T1xncpaaxmXGsW2t17eWXVauC2XGtrXPwq5I1qeSzBy+p2rw3bvbbV7rVyfkDD13bavbbb7rW9dq/tP/jan8rv4I3+kqFhbaLr8tAYjKHLikWWowJtAzo/VLImEsGip5bCe8lYEjdGoam1bXM691r4VpALpjSOCx705+Zp7MeS4WgY6eUKCEO/YWi/fQdpnDS0YTCO7wWQIs6gxVhh0gUq28iUSEzUtUv8t608bIh5fmVdwwnEYbXyZek8PS6G10ZiUgjaxArKjinSKPOijvPaMsPLOQttjskAI24EhI/jTygb+HvpeKDAC6c5jaJ5zyX/FwFKRoOpjQ2bobPazs/68F9bw38V4Lkw0ix8dMJjDFg1SA3/tbv9rwdCTQ/PTzeKYUQw2exel3C641FERoz0a2cT2ppcvcSQUoeTmUZYBAVwgYi1FBEsBm028zGTEhZ0z8oQNmyxYad3UK5WT1lMphRKG5cWjB96CuNzSa49tlz7+q6mqEISFE/Pz667cIRy6BMqLHJJ1Q2KMj4FhTWyhvlW09XRizlgkQiorwRoAim3GB6PSojZUh24mu5okXvYa6iGLy6r7GrSrPbA5xGtrKIZ/IjIV5bSor3ApYImNQR5xaafNNl2jCseOhWI0UuuR8ZHTLt1PsyHGB+vNga6ZnP3FDVZL4uTkEShwQ3Mr5EiT61u1BCmqbpZ5Toz8F/2KsNkNWw/Py+Up6/uJOsiJolkxYDVoqVQzvKBns52O0UTzsXa1s0GnzHXMrwyK2HRc/S0EGAS2MsRGLMOFZkqfai15KO04biLhOexQHcW8BmN7M4uxoS6UbEkYMzuEBtiOYPtzDA+fhHmx1yysl/w+TF3gxism6Jp/p1XE2TI9eXHTxeXV8enH0+OLk8/vL86Pr04fHN2cnzdqf52+v7Nh0/vj8uRz+XHPny6xOdgnVV+fnOa/X14dr2Ak6Vz+YuNsn+Er5f/eX5ydfzh1/dnJ7+cnOU8he8/ndtv69gJT7w7vSwwEcEdndRwze1oGu6360rGPbKvVSBmwfYVSJ83b4A8PW/AC+SvWbqQ8Z9bG0/amPLi391Bd6c7HHS3drYH21v9g+F+d9jfGewNBsNBvzvYOhhs7W9v7R50B3lb8QYscZtA3qc0N5PWL06PN8q5O1QpEXDqmjuUTCSuakX6dFzKWowFNEIVkW0pcnF6jJomhuJg2vWBhBQNyJEpizX8gHrJJkngV4bH1y4pwJ1zBLr18hOvRbKE41ykJKun4CGcY2v2xIvTY9Uhkt1yoyxhE58YHV88i+DSVXhSodrZmKOIzciMzsmobr/KqH2aRnrvOQ6g3HFp0uonqoBEJTXs2RejTQ3TjjkLBMzDFdNJZszWgliEui7q+ue3BucJ7vCPIlyD4W3FZ/uUUwKWAyjXyMgE/JVNi+HWcWNrFFuTxDzmVSq2ae8uOTVPfD9jExoU0o5dPZxFOfD4AFME2yiL2H95t3ePk54IHmvnEPQa22bn8Nu8tnv+fs+rE4lFSywEaCmU5/3cuR6w11kpnt7ulRZXez1ME7fZ4OCdZHqBr6u+7oknYTh71fqzmEfdy1OXH6x7W/W1PAa38sKD8OuyXx8Zoe6VB8coOZkfAV96+kHIJTfwI5BLTz8IORKTZVhS8Pg+UshYKTphV0zKbGNYBB2e6dk3mgC3/tZCX4VHUC+7aB+Bv8gD+Ogoi158cLyCo+yRIQrPPgi1zs30CPC6Vx4bw/pkGg9Q8hM9CB4dKUtIaJ2H5+G2Abnn5BHQ3pMPQ4QDw9IcKZ8zHhyj3sJeNJIbqv6txwdqru3Ljz8Iu2gJPAK5+PCDcO9n0WMKp67aTBnm/w8AAP//cT0H/g==" + return "eJzsvft7GzeyKPh7/gqsZr+VlEO2SL0sa+/sXkWSE33HD40lT+Yknk8Eu0ESoybQAdCSmbPnf98PVQAa/ZBMyaJjZ3xvjociu4GqQqFQVajHX8jPR29fn73+8f8gJ5IIaQjLuCFmxjWZ8JyRjCuWmnzRI9yQW6rJlAmmqGEZGS+ImTFyenxBCiX/xVLT++4vZEw1y4gU8P0NU5pLQQ6SQTLoZ+wm+e4v5DxnVDNywzU3ZGZMoQ+3tqbczMpxksr5FsupNjzdYqkmRhJdTqdMG5LOqJgy+MoOPeEsz3Ty3Xd9cs0Wh4Sl+jtCDDc5O7QPfEdIxnSqeGG4FPAVeeHeIe7tw+8I6RNB5+yQrP9vw+dMGzov1r8jhJCc3bD8kKRSMfhbsd9Krlh2SIwq8SuzKNghyajBP2vzrZ9Qw7bsmOR2xgSQit0wYYhUfMqFJWHyHbxHyKWlN9fwUBbeYx+Moqkl9UTJeTVCz07MU5rnC6JYoZhmwnAxhYnciNV0nYumZalSFuY/m0Qv4G9kRjUR0kObk0CeHrLHDc1LBkAHYApZlLmdxg3rJptwpQ283wBLsZTxmwqqghcs56KC662jOa4XmUhFaJ7jCDrBdWIf6Lywi76+PRju9wd7/e2dy8HB4WDvcGc3Odjb+WXdrc6Elrm5gqHCIvrlz+mY5bpz4XGV5dhyOHyBH6/w+2u2uJUq62CA41IbObcPbCGtCsqVDrgdU0HGjJR2uxhJaJaROTOUcDGRak7tIPZ7hyu5mMkyz2CLplIYygURTNslRXCAre3/O8pzXBtNqGJEG2kJSLWHNABw6gk3ymR6zdSIUJGR0fWBHjlytCj832u0KHKeAnRrh2RtImV/TNVaj6wxcWO/KZTMyhR+/59lCD9nWtMpu4fyc2rS2ZUU+eLKsA+mg9IvpCK5nDpaASu5YR3jOIrhT/ZJ93OPyMLwOf89sKxlsRvObu124oJQeNp+wVQgnJ1OG1WmprSkzeVUk1tuZrI0hIpqx9Rg6BFpZkw5yUNSXP1UipQaJqJNY6QFYk4omZVzKvqK0YyOc0Z0OZ9TtSAy2qzxDp6XueFFHnDXhH3g2kqLGVtUE87HXLCMcGEkkSI83Vzrn1ieS/KzVHm2xCoaOr1v88SbhE+FVOyKjuUNOyTDwfZue0Vfcm0snu49HXaJoVPCaDrz2NfZ89eY+5Alt9f+uQwX0ikTyFnuBDkKX0yVLItDst3Bd5czhm+GVXU708lxSujYMgVK3Im5tRvSympjz9OJWzoqFnaNqN3YeW63co9kzOAHqYgca6Zu7HIie0vLljNpV1YqYug102TOqC4Vm9sH3LDhseaG14SLNC8zRn5g1IoWwFWTOV0QmmtJVCns225epRM4PAHR5HuHqhtSz6w8HrNK9MNOsPBTnmvPq0gkVQph95VEAlnYIvyUG/J2xlR8UMxoUTDLsRZZ2NkBVThELAGE496JlEZIY3nBI3tIznC61CodcoJIwz63G7dXwZdYViBO8RkzapJovx+dvwIVyB3SdYTcitOi2LKo8JQlpOKNWKBnknnSgSQHnYbwCXIL18Qe5cTMlCynM/JbyUo7vl5ow+aa5Pyakf+kk2vaI29ZxpE/CiVTpjUXU78o7nFdpjMr+F/KqTZUzwjiQS6A3I5kuEGBye/ZJ7HGVO2accnzLPHyzs3elABdMuBOKdDcYacfDBOZ1RDsVDVSThw/4Np5Hne6FIp9q1QJN4CRYXdSsegYD3YgxYVAFSgMaXdGoeQNz1jP6kS6YCmf8JTg26B7cR00REfZSDLNmVE8tTwVVOJnyX4yIBt0nu3vbvZIzsfwM3796z7d3mEHk4PJzmCyNxgMx3Rnd5ftsr3d7CB7no4PttPxcPAsDSBafAzZHmwP+oPt/mCPbO8cDgeHwwH5j8FgMCDvLo//GShcW+EJzTWrLSsrZmzOFM2veFZfVOaW4wkW1s9BeGYl4oQzhdKCa7dvNvgEDig4xfRmc4m5VYbUHBRPbxvQVEltF0Ibqqz4HJeGjJBDeDaC7Wc3XnuFDuiuJfSkRogm+k/D0+8E/81qzg/HO2hsViKhHIP3bkE1HDMCUot3MKBDL6uhZ/9dBYJO8QVxGh8ArRXUhOJTePqhhjLlNww0Xyrca/i0+3nG8mJS5lZmWgngMAwDm1tJXjj5TbjQhorUacKN40fbieEMskzitC1SaVusoAokQxibayIYy9C8vZ3xdNaeKgjyVM7tZNZyi/A+m1j54Q8aQBVPIP+VnBgmSM4mhrB5YRbtpZxIWVtFu1CrWMXLRXHP8vnDzU5AaH5LF5poY/8NtLXWhJ551sRldYYevmuVuqQijQhHdKBq9SyyuJtozKpHQGPhk9rCVyvWZIDa4s9pOrPWZpvE8Tiezk5wr4DUf3dHQp3YDZj2wYWi0u1Ya9U1lbU0Usi5LDW5AA3gI+rrkSC0egWVBrJxdLGJG9Mpow6wVArBwBdxJgxTghlyrqSRqfTn/sbZ+SZRsoTTsFBswj8wTUqRMTyn7emrZG4Hs9JNKjKXihHBzK1U10QWTFEjldVvvfuAzWg+sS9QYtWbnBGazbng2tideeN1aTtWJueoeFNDnEcEkZjPpeiRNGdU5YvqBAQbKEArc54uwL6YMVAZLILJJ+tHopyPg1573xGay6C81ZbIHRU4DqF5LlPQsR2kreVzamf4OmwEt7puoI2ji9ebpITB80V1Emm0rcKS4F45q9EjYsnh3nD/eQ1hqaZU8N9BbCbt4+VT1Aewbq9iKkci0LsFyL1Og47lq5SfBuXfRJjALC3sf5TScuTLl8fRjkxz3jAkj6tv7rEkj9ybdut57qTasSM33O4M3Ah+cdyGdJqwBw4tRMWmVGVgOVjDQArdi55Hq2HM0bXLpaA5meTyliiWWmO75ue4PD53o+I5VYHZgs1+YR+PIIPtqJkI9qJ95uK/XpOCptfMbOjNBGZB10jhBEprKnRfWkWvNqk3dBVo3kxbOJwp5qlkFBWaAjAJuZBzFoyjUqORaZiakzXvk5VqrXLDKDbxssuBIhoIatxw7mfnBMCVHbNgBIMTICKA24wWLDH1y1xNEcOPbg7HRH4Ce5aVurQEcaNW1jcXFrx/lQIXAIxxNK+9x7xjsIq+QprWkFbNwvXqwz72LsngyMTxtvw8wSUNmwcVN5plRLM5FYancBKwD8bpeOwDau89VKm8HNBB0zOS3HCLLv+dVZ4ViyhTYM9pbkrqluNsQhayVGGOCc1zz3z+fLAydCrVomcf9SqKNjzPCRO6VE4fdX5wq8ZkTBvLHpaklmATnudBjNGiULJQnBqWL57AqqZZppjWq7K8YBega8XxnJvQaUlB/MzHfFrKUucL5HJ4JwjSW0suLecM7gVIzjU4P8/Oe9aIxtNYKkLtMfOBaGn5JyHkvyqKB62x0qFwfyh662Hy+2GUuC9GSLK6LioIN5GqmZXoo8aDcpTwYmRBGSUI1qhHMlYwkTljADV5KSogwM/jVrLStZJ/u+Oc6uTf9kSPvFwLw/RH1P5oxdEnVH+tBsgP9gd09IV7PbcTHSOgIG0v0MFuDTBk55XYflbK4h6OrXgHpWPOhjWPd1xzurBbED3P8LKVB5PSHi6/WRk+4SyLxwZlhArUAOxLYVRB0YIGeuJWqObImLIGQCBguHTxd6wARZa5y9MwKBOKp7O5PVW7LOvE/ZGk7h1P6ymTScrN4mpFTpNja8d0cuUrazcx516tgSOF4YIJc5XKbBUwXd7Kfs6MYfY4zVj9rjnMvq674X599N1HNmg3Misi8OuYj/1kbaClMjNyNGeKp7QDyFIYtbjiWq6K5sc4BTm7eANEb0F4fHQnWKtiTQdS5yofU0GzNqXgZPu4t2TK5FUheVAr6peAUky5KTNUwXJq4I8WBOv/TdZyuI3uP9tJ9oe7BzuDHlnLqVk7JLt7yd5g7/nwgPzPegvIpz3OGk5ezVTfq1LRT2jEefL0iHNyoWItJ2SqqChzqrhZxDrRgqRWNwNLIhK8x17lCS5E5HCuUElOmT3snT01yaVUTmfogctsxitrpVIuELycFLOF5vaDv7FMvYzSEQivpYkiQOCelqNjaQ66zZRJj21b4o6lNlL0s7S1NoXUhuar2mXr5zA8ijWqtUx5dXeJMQIO5ArRv7uYikrbd1dQ4bopXKCOGbkW8lZY244SiwpMJBX55eycRDgRYG1QpW+oWpBbnlkNDk41t6vx4go+tun3fHewO3iImFVsyqVYpQB7CzPcJ7/6fzu+C64VSTAHU6cA+1vJxqzNf9aq+b2yCZ70WJ0xDIb6HfygkxrD9cKt7dnR66PouU7g3UG1daSmcCzTrR9KJqS+OuIqUj4/whi8+AiW4YEaHmfnwUqr64cbZ+c3u5bbz85v9jeT2lxzmq5iP786Ou4GpnFpIaQJt8dz6hTwty+OybPB7jbcv2O0IcsOyak1nmRqmCEb4BDgukcO+mNeqahWx9/Eq1+nGrlgtltJfi2LgqmUavZPMmMfaMZSPqc5yfiUG7j7sWqU8VptGNOBjxNbASJIKTSfuqAdNmUqIRdlCnf+N+5BF+uFd1YIAw0jzhbFjHVI38GgPxj0907h353+9k5tpQQ1SZMzOs/Hbu5Yv1RUaPQgnZ1brJw/BQNEXx9dBuck2WDJNHF+dyuVK5cpQU+cd8nXLoHDoRP544hRFC5qxJTkkmZkTHMqUjgDJ1yxW5rn6P9UsrRHY8PKt0gXUpmHGfne5NNG8W7LP6aGHf9roQf6/R5g/dawPse3H2XrbtfhaK3JMib43etx7tYgFhTxfPY80oYpll11WdlPpydaoTTj0xnTJprU0wjn7gEiRcEyD7Iux/hTtP4vqttw1Pei4Zy9bfWVtYaVu2bF11r8Rbdh767fM2aYmoNWWyiWcm31FVCbKPoAIUYJgnnLcc5TosvJhH8II8IzGzNjisOtLXwEn0ikmm4m5FItQCxKVLQ+cKtFopI1XhDN50W+IIZeV+uKPsOcagNiFyNXUacS0hBwfd2yPAfsL1+eVHFRa6lMyuu1tmC8ywkQyL5KbgiTANMHk+EeF4qP54tU+Dz3rAL6OmEfUlaYKuwOXqvuZlvsnsB9PCUFVYZHFw2kBQEID45z2f9zv6M2U9k1YICUdk3szCkV1U0DqfNVL6JAiNttITRmubztZvPuPVHfNzFt125vbxNGtUnmCzcCMgbuDKrNWhSlgEC4UWZUV2G3gCuoH2GaSptb0+V4O9HleFjbfL0aE1fgoUHhXNo+bq0aY62He05IK+B5DpfYTHHZEfpjEVhWEzSyuAI0PoPUY5OJPaRumJ3VMYrDfoNdvjzZ7KExFSypiu6BaCg6ev46EoSAZVnPK9EmSdoCsjlvGDYKLLKrBHzwdUtGkIp3CcVqJZYTj/B9jW9KzVSyWpaJ/Xd4cy0V3gfbyTFkZc7gPkRO7joWqSAvT47OIRAWMT4JQ8W8st7Gjs0pz1eE3DuLAUzgjZikDYCVnh0G8ld0A2PRXNfVMQBOKHpDeU7HeYdxm4+ZMuSUC22YY6waReB69Q9jO5h99XyHSK4sELcdjOrjqhE/Hy8HVz5bRU6NVa472BPhXKFLNV4JnKwNxIzq2ao4wVEKpI2dBx1zSjFr1bUi06kTS4JQIcUiTjFC+yRilXeauYjWEWDBM7yvhj8sdqOgAqRSTHCtaF6bk4qsQ6uCCMsOplpJYPMdcc1IstbuvugP+3v97WF/e7C9u737fLj97OBZf3v/+fbu9vPdwW5/e2dv+Hxv/9nBfn84GAzaSDyds/Azy8GLmbU+0V0PWShc3EsqmrA7ZaCSefNy+slY/kgpCulmwMowk7+vAL9kPRGtAfT6r2vXfEwFvYKYzbUeWVMMtG4xvbID+sSsO+lWxdTJEgEPIXX+i7sj6jDVl+DuDBEWMBQYLGKiaMjhq9BAPxrGbntnAkRwkzuziybkVZXdwXUcZk4FOT3eRovLbtAJM+mMabibiUYn3GiX0FUBaTd3PW+xllDGdQhfroPgxlWlcJliis2lCcHORJZG84xFMzUhQ5gocalMHiHPOqJ61d0r1VMscdBqIMjZcpN7h48dlusKVEewKB/aA+ei1FxYgWb5pO/SXtF6hadcClLyPYpB+MpQNWUm+Z4QI2vMPfbBApg9Z5/yMK2v64j6XrR6jF1EmZxYItRYRCpL1qm0WLhQRN0jiukC9ep8kZCf5C27YSoimWZGkw4E3KANNOalNdulcVmjE7hpC/dVSkrjQA+DE+e0hlPACwNZUaHigAg1iENKTUnzsFCO0pimh7didoE8A/vZGojYFbMiMuQ4OzLGk3kyBqJV9PSpvNInXsVRHgZDW8OatRcNw0U8bHdQdAkIW8tawXYHRdsc1QHdEwQJpnApuDrFcL3ag24uYPM4iIpnIS/XHfoLkvHJhKnYXQ23xxyyTq2qbI/avmGCCkOYuOFKinn9nqaSrUc/X4TJedbzAVog/8mbtz+SswwzZCF4qGzqH23LdX9//9mzZwcHB8+fP+8k5ypDAtoE9SoAzTnV99Ay0DDQ6NNoicZXi5oZ10VOF7EpEvuRsCxHP2M3y7qTnG3Hc24WV+3b1KdTVKJ58LaU+7BOOCnxbFUMb1yAZapTiLgozJYGU+o+o9r0h/XbYZ9TtLqtd+Zzyc5OvEgGFcIf+E1AeX+4vbNrVeXnAzpOMzYZdEO8Qu4OMMfxgm2oo2tg+LKdvPZkEL3yOkeUx3YvGc12MmcZL+s+f3egfZO3TyJvlxAaDYJ/k8hPKZE9cf9Mgnl5tL8e0f0InP544b480F+++F8eF1f77LOcDG6uWOZ2SZaaHDkP7/TI0e+lYtE3HZUqFn03ySPJ8HnktScERsUtSwKUsnUidIvW+YI8mgzWWl0mS+iTo9g9JWDCxCMfF/+it7pHqMW3R6ZpUd02S4VxaDSXKaOi7XK8XTp60CGOEZwrQtsFcD7p4fFA/Hxhn8/D3x4RXxYiLmOTcW24mJZcz/xzuuGkg+pPlbLir22wTBloKp5teoRNQRM5Pd4mN5q8pPNxRnvkx+Nz8uPxKbmpNJyjoiCnYspF2EN/f2Vfsd+7kkJdO5EWBWHuNfvZgdxzmKpS9MiEqik1rEdymL69H/H7ZZfs310k/7vL4j+ZEI6DEr8+ERuC574J0K9GgDof+Tenx+dyejQI/s3p8ZROD0/cfzOnh0P7T+X0aOL0VTg9HNB/CqeHw+XfXcNukOHfVdGuyPBn0reXR/zr1MiXx++bzv6l6+whSE5m7ErzqaCm9KXXXbSczBi5qP1yd9jc5Yxp1qxmXoszhfizMRdULTB9PkyqP71gYsanTJsrmk+l4mY2XyXPzaieQf01P1nQfC1GmKiBlbXvTvuocWWgAzb8oNhAhWvikndDohBUzApD+o4clunhSQUFaV3mSMXPSJsK3Da/6Bnd3ttfdotjeeE6hVsBtGMpc0ZFFxF/wJ8gDJoWEEbJsVKno4NF3WVFt6NDLRt8JP4zch3wqd3nKyxHbRkiClxelhN4h7nkKsH7LhlkTkU5oa5XxHhhKeRbAdwwkUmVRGOyqnK5Yjm7oZgoe1RYvvn+zQUErHVl5MwTOydLPhSpPY4/LJamraGmXFmxuaMs467EZFuKwHnOlMF0QeZA6abxpMx9zf4plB9Si8LIqaLFjKeEKSWVrsIh41FvaM6zuJyKVFYIaePnIy8ZvWGkFFEVxYlPzIdXq1e8FlKNH4a9tbazSGcsve4qAX/69u2bt1fvXl++fXdxeXpy9fbNm8ul16jEjjMrKo9xgcPXS3150R60uqogFU+VtDxMjqUqZK1I9scVC0bnK97Hdoqn3MwwnlRut7pyxH4Lu4YjUbxp5Rx52B4+/dtP//jl4NXB0d+XpqXvyLQENbOKVWsUO7FbhIqM1DtV1U/2Rg8pKOwNZ1pbrm8Ptof9gf3vcrh9OBwc7gx+WVrOwx5jyzDHPefS+oWR9hCGpYv2ecfeJemsni/8d7vhMby4ev2u93xQeirnvt5kD0k549XxXsvk9eHGlaSxp7+UuXbtJ1y4OAExgnoBCqkWuzzsBAVJ9ol07T7wMTEOrKr60X/DFOaJ0ynlIqrrZ98ICqRV8WNPYacspjXif0TQLkOYSmsGDdfJuKAwx1/eU7Q5PFgvzOtK5raaeUW9gFz/EAdkgCJE7JvQog3D5KvI8e+8wIr09BnLiygVDVIvsKpIGFm7pA6xsLaH3etPEIOeFmVShuZd9zOWTmnOsqtJLmlnsbf1c6ZSq+Yen79DGqLRy7Xr8sF/r/rEubqncgJP2zMwKn0gMsINUdgQBLAeWJYdJuQipZApb7UxqewpMhgE/tH441X847K7K+P6OlGMZklHrdAHVYiF80vavVThCGOSjSktp2wTGlQQjeV/sCbEBp1OFZtGLcRcWhHNcwBNbxLNRcqqdHDsRxOV+F/alwmo3ipu2GfA1c5jmPgD0V1lomS17XlWj47mczpdqdMl9qjBZCHDCQGyIhY7Cnla1UEzdLoiyCqZ6uCi00YyfNSp8f7po46N9/RsbHr9YVbX/rA275zNpVo8ncB7BeMRGI8UKP3sx+UFWGD/JxNkK2S5amFFqGQXpsUK1QmbQu2DpxAsd4kUKEVlz2F7IOd5KI4NFbUmNG07Zqpd8WRSxePLxeoQDr1VPeZ/JMJO51gRa73F0cmcCjpF3Z3rCo2WkYLtTiM10GpMV9ooRuexInhiFamL6uuPdIKMRvGamaHXDAvScIGF9b1pIditazVXjR9KXut0xqIrnjPR9Ur94aqQYKhWET0aHLrQ/NMTXDbLxvrMz/hVlxQ5kXkuoSvqnArB1CEZ/XeEMFxq/k+/9pX9rJlpfAvlmwqasv8ZVcoshw6WLs856pAK9lKofTCj0A5ZeWNJOQ8NodpX/anoyMDgizDRCXklVaMrh2MVrOAzkaVwWaBch87UUB0Kgw6SVG6NczndoqLPhQm9RvtG9s2M9UNsAjW0j7P2cZX6uEq/2rcdjIXU5p9hjY8EOcW3NaMqndXWIJVCc0g+rfdOGtP0GvtPZjxlGq3PcGFQZxWoVjvXtfJIjfddbV9yUjJkDtxFN0xAZdL2uBqzkqFMEzKIHYp98KypmLYSw2BrjlpFlE7eZ9rVsAgdSkfvRz0y2rL/fG//+X/tP2v2n/9l//l/7D//n/2HjMgGsFXFJpse4lFvBBdlo7+MEt99XDPcMnWiQ8cXZoUe1PConJd3MMO05BnbYsL3LMdhtsIwW2mpFBNmy1G4nypGDesDlZKZmed/afxCC94vqJn1C6roXP8ak/CfT2CzuU25hCS2TGeoMFf3aEtrlcfa7qGowaaZoaSjhsyhQ61mQjPvhnOutffh6HkfmbteeCXvRatj7UhMufiQULAH7LoXSs6ZmbES/mIig3Lio3hkZlJkvhrnAmgQ03XLwZQ22C0Svs+wF/6M3jBPMaKZiUe9ZaGFEIrd92vgIePp+7VQQ8e/C08kZISlMty3I+cVikeFGcN1EA5MNRl1yNVR8l78wBYSHE4NRo6H7DgyUmu/KU4tkiwjcLxiYYJRgA3nnlEdbYN42JgxD98LQr4nr3yJAs8Ho/4If3ktQXdBD4ewKmkkzdea53O8xg/RXGH/PxVnH2HVE1/CPYyfgPEEH4PDx3UpoiABYV9yMY2J5U6i5L14RQVUSVea0Nza8gsf7shc4XYvjLGzJ114nyJyU23LdOkBQt76e243xphpQwpLbJ4yLEnuyJkQC048JEIGdeK8By6ucA4XLCP39ihx7SyRVZz7HLokQ9eleFx70kAznvDu3cxbP0PqvBqP6dh2FJYmZlrQZir5fQ+3xkN+IuNW3ceXZdslY8GW4dj1I0HkDVOWhCB7FwWrCSLHL3H7ADyd8gWyLsviMJq1XE71GjDfGmr+ei0hPzPCPhQsxe5d9uCnWUbWjLL7Ya3mhVvTC2FmzK7rWtXXjCoyKU2pOuKP7ITL+W2jflw1hb3x9T0Ke/RopXCiU7upIDJvS9U78AXosX3ZFpZKTuquWbgiqjqpYWGdWnO3nquxbDUU76uASGPXogs50i5o1FOddja48wvbgVvUMu5jzeLwHHbN4ip3813t0KIJQE3NoBIrapea5VzUGsFizy836tg3UgMfv6hjrO+a0JOhTky/XeJ+f2dRfSrk1TC2vx50d/T1+vUAb9ySHkpfwQEpup/zVAhYYhOIQOmvqitcrdndUq3hwrbHAZ6qNVwYFlrE4U781hruW2u4f6/WcPF29DXzQTJ+ef3hYlC/NYl7erp/axL3rUnctyZx35rEfWsS961J3Lcmcd+axH2VTeJiJfHL6BQXQfStXdwX0C6OF+Awj/jkIz3SWK05WqH4jRW8J69+2exqj1ZVTv6iOsRBS7Io8NNhCuGgFW2MtItlKXHCIDXv6TFcRc+3Bxixn6/xW23fky+o+1vN3fmtBdy3FnDfWsB9awH3rQXctxZw31rAfWsB91XftHxrAfetBdy3FnDfWsB9awH3rQXcA1rAZTmeuz7O6+VL+PP+hIxlCtmAyz3nY0UVZ5pkC0Hn6ETxBJU0Q0+a9HUD4GbD/QzhnLJgyvWkAhmpMY7cSoc1PaPQz702zxoqhVVtFzBovCEw9mkJzgJgBsfTLsY02FI+JePQQ/M9OUEE+jkX126+BdkYJVmejzZJKudzSKkAB5EU5GcuMnmrq/cvENw3WBBiY5Ro2fXeO8E/9EGZbeHegqUGxiLn464B5zR9c/EEGcm1KkjJt3JCn6+cUIP0X1F1oQbk34oNra7YUJPU32oPffG1h5pL9ucpRdTA7FtloqerTNQk7Z+tUFETv291i1ZUt6hB6G9ljO6gk9U+k3m2tyLp9epkD6d4EDx6RocrAujip6Ph4yCqVNoVwLS9t/84qPbctfdKoNobbj8GKp0xtozEfhRUFyenp+cPg2pFKkfNv+ts1eYBjEdKni/InBa6q3ICGGdQf1hftzfzNVOC5TvbiXdkLIFuQc2qHJkvyjxHiO0kLdwbwB8fvnd+gvcXYOPvbL9/FEIsgdxEw9JQiXgFdWbO35F4Gt+Q2/u0LdotFD/s7z4AC3twUrFYEQKYhANxpzBNi816Pr83I9TAUzxnfajp9qT6ccGSCLBVY9sIf34Esuc0jhH/OHJ2+KsbpvRnwM5N80jM9pOd5Pn+YJAMn+0O9x6AIp8Xq7wPOcJbkFBIrJDKuBY856e408iRIA4K0u9DoAg8RiK4iP3FXaF7O2fCxZSpQnHhqo1DztoNE4RODFNEMaSYy9/07XmsvtgHPCs9TVGhg/mvscSCTKEyR9ZzKX63GGUBmbxYW8UoWlX/sNBjanRdx1MCH6amViFkwhVjCxAUWC/GzBSjpq+YKxCyPRjubg2GW0ZhBZb+nObWaOsjcfrOmQgVQjoCMdP9g8FOusueb28P7YcspXvP93cozXb2s2zyAAbxGVFXsBlWeHUXdsKnSLOL86Oz15fJ6T9OH4Cis4NXjZeb5lPwWwvi+v2Ho1PvnIfPb4KbHY/gtfsJEO5NBBp0/t7k9QX8ec+9yQu8MXEJH3bCk9cX5LeSwQaE+kJC3zJVbQT7O9z/hPRnxmEvhiBncNuKac7CWAtSKC7hhmTKDODlhnWDbowyoaGo1CE8P9okeH4v/CTx6BBO4BPx8R7U3fiYkJyM04bcfo2xL7QWV+ZgQJv2lqETBdcuZHHAOG0o8dXR5lNketcosXSFw1YxCAp3d1EBASrcGxjyQ9OZm4torOdGFDOlEtE1tb9NaHa6uJwxAjEL12zh6FUlWfuFQfpr5mat55CPF+T0+KJyR79lqVSZGwtkNEjW2HM7r9DBH/3kgtzat06PL9zwzdwju8aW97AMBgQeQ0g9w6KhtYIP9jnP4+TIkDkXfF7Oe+7LMK5HCkpgRfyGNXRGFjgoQdBCg+sq4qVnDYowJIQSpnCgcvDMWYyoJoXUmo8xiiSDghtWL4zKm/hyczJi4xagVJO01Eb6cnDNLHaHc5rTlZUZwF4vFFMvwoL4Sn1V7TXf3waOedX23p297gTdjrYqXcdX+ItFI8ae+kD2+uZgFPac9Bl0+GrBRKZ9RA1UaAFp5UkSD+hxbx3/w0Hi/+ukwiozFpuJ30bGzYkaoJOCKYjdjWhzBm4wcEPKCTl+ffTqlECNIlcvTuY3ViuLhNP6usYaP6NIxJio6IQUDKUGhOLoQloSh+uYaBDYlwk5C7JKSOOjJptj+kzx0W8l06HCwcgeOyyq6BEtC4QQ3xE17pfGmGXiB+8tmMwh2NswdQP3WlZ0A8JAgc5V8O5ems5iyc4mIJhq1TG4TqnKWJaQX5iSvhrQHNylMxf3gTK0IuC4ohpO0VGXoJtRV9gI73JWNcF7pIwB3qzBPWM0Y+pqktPp6i4tfcDNNnFZ9VZM4swEZq71mypYamplmw7J0VGPXB73yNuTHnl71CNHJz1yfNIjJ286nMy/rr09WeuRtbdHPhbnrsrXT7o0FidMM4qvw6h2oQ1O6yiUnCo6R9YLtzqVYQepBkxhDZp4IKhbWfCqfAqKBd1hWW8Ph/U2xbLoSHp9cuRd2IwUeIGFChR2BXBXQNdcQK4P6q01VZaQOdOaTlkSB5BwDaFCjnZOgBl/LYjDoGoMlIGIpnjMO2n0t3enb/+rRqMgEz+brqCcdojnBJojH1ULaqJ7lSciHIUN0OITLziLXalMn9IipOiDi8OqgnF92w3MbdnZhronFgIy3N7fjFNFpK69UQnxOLeUasJ0Sgu7p6hmZDjwOaGabLw/OTnZrBTwH2h6TXRO9cwZer+VEqrRhJHdUAm5pGPdIylVitMpc1aDKz+b86ha0oSxLB4Bqskql8f43vTIe4VvvRfAf8zdIz7sdA3r/Ifn7X3L1fuScvUCX3zmpD1ecyo4DO/LtGsJi68ot+z29rab6N8SyVAEfkske1giWcVAn8c8cFbS/ZrF0dFRvaSSN1WvPqXmwVHLQ5fn5OzcKnIMGv+OYs/GqOFi8D+OvKfP8Q6fTHha5uBAKjXrkTFLaamDV/qGKs7MwptGMafOqdHWJIyKeSfk9IOB4sEBvqgqpAfUzJhiWOBX6CQizqjSWaEMODfBmwXhbFDq18zYHKqZREOjXoAvwe+Mag5B9WHEG65LaAzl1BWr4U6k6jRzIqeJtXeqP4dNw8frwZ/DDPBzdVfBef0GAjdr0K1wU6zHuyJ49X2QVNZzFIZKfJbx6sfWQpYqKuIe3QpA8NiU3zBtH4rvE3rwRRxjhlXww7iZ0GGUCcLWvBhYFooKAO/ld3cANSAa80vhi6IWTDn8N2SBXtd8YYfQUoYTxdlquC02E3IkMkKdhyaM2arrazfV3bcT3o9vrTgnDFr8HRy+obdvWrv3OT3+2L3PK2ZoP3ZS+xZ1zgv96a2dOy/aowAexX4ruWLxMJ/EzKfHF+HWHQ62QHfsg2FkQkYs1Yl7aIR5nB6MSiqCqgSyqNQGuybDFXfuykjGDpmfZ0zgWsLCpkrqSIPzld37fec0dRcaFiAIA875dGbyRZWlUXl6Kmzg/Sg/KGcGW6VPlbvhptm/LKi+zko6Y3PaoD+pZW51sNQwGSSDmKPySY2jXr4gP4FT6iOM1ZmH9ZKL8gM5/cDSEk3fl1xcw4cXWGdp4/Tli03ooAhl8z+Z+T5D3NErms6g2HUce+SIbKnVHXd0sN9fPvRovDDsSqpsqULDj8Hhh4VhRLPfSmiBIid3A/6SG5MzcioyTpcPuC/KqxWeX8fn78LxdS/Vz4RhS0etwYnApbiKAtMfE7/utChobMlEpQSFEkkW1HVdMT05s+KCGpcAFjYuN3F7PuVDCjK42LCKm68uOKHX6Et1wSWIilR66YhL9gEiepbAepJTY1h1c1yv0ckxGh2HYxlhOZuHtEcMPV8UbHm40B2e0DFfcfzW3+thW5ajjqJsqx8w/PvMt1IjG0c/nG0+FI1VOlFRRtcvGJv7Ylk4V3i7Cp3W8CiIgHTzPhBMJoxaxPVin6xEmyNmNcGnUtQ1pVwtD6+vDT4MsSVRuNX0AFcH/9Ig6ys65isC9eN7y1McNYg3Fw+l+AqPH8cd951Ay0L52YXaA3eai/R8qnMBh3uCc8GFMS0DmGBRxtajQqd8zFRrrcNJbe3pT4mP0uW4j9psGBK8yIJRMyMjlk8Sj3Hy/Wj5rRxeSmd8mbSTDiFZ63dR18JmvK9/K10G4piOec7NAlLbFR+XMcn0A7uIBritBJbFMgH4DwL9YkaFkIK44UlK87R0EcZBTXs00KsMG7DMd+H4EXaVixR4KIwrvChtgRjXKl4eQl9v/EpOJsv1MXwSYHG2TwBX89+XoexDmoW0gAy12O1kD4d1hWdjC1Q71MMhvOHKlDS/Wr4X0oP0uxaUbr56RbbHAPz41X8EtA9c/ak9cj/XkQmT/dFHJmL8wCPTvfQAFeOxG8VRzRMrMNODYV3xhm7A+bAtDXWGrkJFpBWB6TVMV4WpKvQEaUYQKsV1hMzS8BuWT1aYWeWHJ3oxH0uXgGS30ZIWRXDgKOW6Cnq/bfhi6dpZVES5Fq7YCVxGLCBGLWzed9gNd47bHZ9zwfxFwaCXWs7IhBlsT+mvdaBAXko1urlUHIaLHntuNMsnUR1ggaM/QabFirpbAJExsK8RLI6A122pbAUQ3F3SsQMCF0z4ETC6K9514O1jE+v73dD0+gq6hC6xZW55nqU04PyZa/NdYvWKFJpr+pbUXCPpLLcWOaR6sA+mjuRnClgIy9iLg0uw1gf4+eIUNKz6HRkswQv+L3pDk5yKafK6zPNzCUHlp/7xWIjc+JsoL0TCF/cLEbeBay1IXSoVVMz4YO4ozFQ1yQd+MoqnNWFQdc23jxJoUOQ6U+pWI9FG61ToS1k1J0fhVEV8vJRBNMF9n288HioeUhMyHiBiRkyrMUjoVy4nERJuPD8U9WV+LJdBMURisYeq7L2otasLkMbAlNBOwY3p05gghiduGICt8sIgqRTCKYljZm4ZVJKL+pfSeqdTnIwLbrDXkV2qXGqL25FfiY+TG1rW+CEh/0mU2IQmJ3NGdanAz6NDZ+s2ZaPH4LrD0GsWeDgmc8weFY3nbC4hy5BpO4wfLqso7frK3vAgkQybQ1R2qVhCLhiuuWvZbk+6EaLNMYnL3Sp7LxAUfA0JWWELx4llDlIoSmSoady9ftL1ZtrO0H+6Ro84eogD8RHmruZnpLrHjcIwIzzOehPRW+TMWDYC1qgiDWZUeHqn1LCphPAOP35YdCtIRkCoPs2yUY+M3H7qw35i8JVVkvoYzZGN4r6QUYkjYYHL80VsQLhEdnREso5YolIz1S+o1paYfUw5rS/GlAlzxbOrFVe3m+IOspvL4+HCifBeUSpfrslrHyMALeFZFZSFIQRAmdAv2XWQxabXkarGoUW2v6S5qZecqjclwn49Elq8zawOknomqJdINlUzZddcOYQ1YDRbZcW5ugCKTXLoPj5jRJYmlf6ooyaAJO/q/+DqPAEZ1td1LBy5jmH17XPmly8vvJAKIzqAU6aiZtV23LOTkEg8ZVharRJo8LiVZFzrEjtkV3e69dXxnCo85V1kn6sV5StRNat72QWsjejTt6w+hPR1u6vBooehyBUGwUBDVBc9gj3Kw7BQZeGWWwO8akuGpRcaLeQr2x0qUNeitISM1goKeTJlGcORxV2HRyHKY0bknBvDGt2dO/rWH1YPjCq0+i5iMpA4YnwkEHRIidOpiBy7jLFab1jLJVFkSjXZnGsY6COTZZJpiJsNy9KYt6J1PP+982oupm5aVwNPyPb8sQS2y+uWIHa/jOwsV36Wq7uGrsECJhyytns+3uYV3YJ2h5vj7KQtW/16LWuF+1NiNScfFl50fD6RpYIorGOc03eLxnoJGKzKQ8BGLC4w/M8Fh7s1sAN54MmMM0VVOourTjWPwcoER1GzNuZTMi6h1dYaROpUI3Km6wHqkbTPDVNO4WxMcegO0RFZOH09BLgRKHDvAsbdY9W6pobfcLNwuWihoiyojXAmhcZlbka7KCNfeMWXtqRxa1Fdjj1YTQUjjO8DI928EI4O0sBCWDAVqPF7aPGvQ497HclJaixnwdKESL2Iku1gy9qR9hF/wtOd92fOlk+jtMFQlAKltD3fIGIVai9HlIua+/viB6VmQW/PmK6VFnUWvCaliDr994hiU6qyPF59UMDhaWJNydJ+kIpY9MAHDJGIqOvLG6ZA0YeaQP5I9sY117Wjy9U+QVOzU1bs7u8e1ImPyt5HZMFd4VnrbjfgIPVz3b6zVS87iqSzMm/CVVQUUjGKdZcFijmwxsYLjEsueMFyLtidPI31v1PXN+9/h7KpKDaoib+q2uk6WGv0A2hZCDm7owN6fCoLMrdWkeamxDDSnvO0m1tJwrRuo41ZR7Aqatn+zzROC6+VdvLXqmhgZSyH/HS0TeP4bZfx6+4SGopIzXKEZYFX8WyBNQnl+jPCjZMSDUjmUnAjq0oZ1RBWO5TVitk//U22keSasYKUBeqI8FK8uepUTal23oM6Ha3ijjsupXkvXtmG5tTOZtgeDPf7g73+9s7l4OBwsHe4s5sc7D37pZ7HYM/m1g3p01dMdNM0SjyIGkUwSwkSS7G2lrX0oGyDc2nlcmrJ7Y4bbO1J09o5k8tpz7ngcjnd7MWTxwWS0ZxcuOMFa0NUoi6ulG83RQw2LDrUFZuDzIa6+VZT8zHhMLw1MWtzg7ctlJuYy6zMK9bHHkfYqcFXZM+k6VV6bjxMx2FT0HTGkogWYXlLtUzz9I4rxcabXBSluQrREVRIV1LCu+BKEz9A9Sue57zzGcxVAx4ZdjLOiZu6Fn1OIKsuTFvnJJRTSHW75/FvJjLYQJjPZ6r8uVqFkC5Z5AUNzC4y742xa8pb3ZeYWKYIwl1HSgVq6zRpHiTIb/bg9N97tSoAbs8aSL+TY/DYZXXf8wovo36iekY2CqZmtNB282kD11FVhT4Iy1P01p1kBsKPKaZ4Re73uRTaKIs+eG0hZcFqjk2mH27v7O7tPzt4Puj6dPTD8UkN9VXeoJydWGy8Vyv2ezVgPqC7k73BIKtDJqasXRh8eZ3kMpwJ2ALES1WqFL9hwaJLmTCK5q4yi5GqpWGAbuE7f4AyMKoOnFgXb/ClVxfyRaiYmDhJWZ3EuZat0WvaVDzBnLmi8772Ntr69ry2AEXnuzvLNb3tdDeeCef3srsL/a7WDNO6nFuNQUhicQNrpxc0BXf2+mSvmZJC5nJa6/hjjxp57TNsuT6s0Yr8ryZy1Td+uUdLndl7yXAwXL7k/DVvCqMvzM719RAeZeiifx1z9OxAfT9K83oICr15tSH+OQaldiGhMZndvuyuUqLUNmwhANXbdb2ZVbcF7fxM3mpBeRe37aE5U8YrMrAXahcUDfeVczRN2o7PquEDpofNsNWtxsIwAEGt6GJ0wJEZFRkkhFzO2AKSzG6tqQxNf/w2VcziDPdF1ZeoZgBBlMwrrLmBUWCnz1heYEyNNpYZbmcM3H+hNFQq5+gDItRAQt20zKkKNasq01FZ5apD5bEUrLF+TadamSKLs0TV2qCKEODS1BRdnqkzH8BAQVlVFlgC17EVNFy2JjIMjRZFXk5BE2h7UqpEVwo7QXjtGfXhI1AF4fzd7Pl9gyOPGqUcaqZgdRsMNy72+bv0zBrVvex/EN3r5H1rZTf7YIKPwHKtMFyFTfbOcfmdykHMLiE+BAt+2uf8wBuunJkuco71RLmxFlrs1CmoMnrTcnK8Wbxy3yNA5YlURDFIS7/TTLc2ATzhWoxkMr2qHNBWHFjdJyRkYZE0gqV/WVZtK2tfuGR7AMQozm68tT66wtUfwb1MqRn0GMKek/KGKcUzx6w0Si72+fQe3B4pcmYtUM0YGb1AcQXJNouC6ZEX06NTq1ryFGEkb5lTmztOsgtWkOFzMjg43N4/HA7wLvX49MXh4P/6y3B79/++YGlpFw7/Ilj5eE4FnTKF3w0T9+hw4D5USq4VdboEMYTdzrWRRcEy/wL+r1bpX4eDxP7/Icm0+et2Mky2k21dmL8Ot3e2v4uI0Qj0CEvVdca6C6Uv+pi1huRjT1mH38hX+MiYkC6/MMhwPDsjdzP1CwKBBZX1THlu9bfgWiqY8gWcwkkqDHhM7JmN9ZHxhqelzL2WxhVBc73uXL1gqN1Nww2d18Oz2r5GuYk1IxsqgD21fAuW6JyrTvEGYXr2CHS+S9QOeOUdihCMQD+yh6II8HuVnGK9DTgOC1l6y5VsBNzcPQwWrkRNJQxaFf1B5dThCF6PqjFkFR0buswEPwRqFnb0SNjpUM0BjygrR2iexwu81LLexKnpbmHjchAvSgX8VJFFuCK87owDJyIU+bV6vtYydeEmuA53KF+mJoWrnhx28IoEk0bMkOUMPyvEAIdLiEOrW4168RFDxSIob3DicKhDGq6ao9u762p1NBO641B1ZK2JGFdQelUZ3OsXofZF1z5DdzrsKlRUfH2ei4V2Pri29/2lnEbe5jmqjTUVoyq44U3UkIzsjOY4JC10KLunrqPbLHAkXyz03OqpM2OKbBM86tjprBy7UAV/D93oRRpG3MB2Jb2qH0bfodj3x1X/qLRGpJhu3tW9pbaMilG9uozNtzA6uZ0t4tIVPsysLaTajueOYBw7GtDN6kE8BaXciVZLUcfgIcqnFq8Txv0ZVDAfRgBvj+oyxQ0Z5Ie7mnKvIN1GFWjV0T9bVL3ELPIh6KvRR53csjGBrpOuIpZowBMNaXdvxgR3x47V9awQDMZMOBsa4AUxWltnBBKZcjTOJQRjaG7YqINpLqGAl2tDR0oRLvnrav9H7X7F6i7MFTCbm4C8e/uS5Fxc+9Jg9/fP9HzZ5Do/CrYrhlA3nsahcyGeFgXFUWQx94LSUytBHzkJDsE8tAe1Yni6zqWA20w4csONKNCzvSq+SwcKiLhW3hbMsfWXwQB8jUsvD9fXVzrSEe/SGie5pJ1R02+5viYwAtiHikvFsTpXUxBqJ6uIljkkUuqofOc7zdztGaAG91furg91AbtzkztgvxJSLdMd+U4k1l+DL47/zjIY9iMI9TAOU6cUroADEgPLM8PBoMN/OafcNYx2jfIXsoR1r98ouRMBJQnUE9YRQLp+gWiHuHX+SGsgUedSBDSQaq6GD2hJ2OC6cUfgy6UsQb0HpXetX/g6LJiweteRDtHqjUehkhHC72/eMDuqFQfQg2tQel2vfs4+0NQQqDTjatg7nSgKCIjDATxs1R1muAlqUeuGRWb9A26t7qEUlODFAOMwQX3/1A7M+y5sfw5VzoOxEEaMq6FHtfbwKX+v5OMrYqPcSyeduEvGsvAHdxRqGlYCApbdrNz5FFIpNNcm1rsdZ8auRhMaf3e1JHA6XsBnzCyZoV/TKJfTRMPvif89SWXGRokXvv7r6niNvflVhhDmSLspWopK7VYYpdqEK3ZL88jdeHZysRmiUWtvBPXbsTXhRhN5K8KMWMzNnu9VlbYwbioLDPC9G90oTCkg3D5FntV52lC1TCLy/feEeAn50ZtCF+Ic3xVGHIF3hlVcyh2XhXaf/i7FCgsJ3m+k1lCyG6ISHHaFA0LoaHMJGA7mui6SK0Yzr5O5w9ozenXhEx2TuAE9c1TxrLFFn6aswGI0YVJfGxMq7FO7/aUA0+/sxE2+dloqWbCto7k2TGV0vhaV66bjsWI3aOP6xy8u1zbR5CQ//XQ4n1fChNPcP9Uf7B0OBmubDTHazjT6wrxUZsbVI2MeITyw7oBqhPKt6XLcx+DHNTjpe8hSGEgYnR2kUuRbAZVRTK7uESbseusoQtLJ1QwCDGTk+EKkoG5uoeySgtLpnDq+JGkzCv0zxi46vxIUTqlzTamW6T7yKMZpmg4CxobGaF4jkyDcuIDI9humDZ967OoeniWsCoEh525ovBfgop+xwsxao+OR5C79KmcP3meLOMHP1TsVYHiSIqcpu9M+ucMuqbb8J9kn80WHhQJTbO1tPxtmLBv3J3vjQX93e3jQP3g2GfR3abp78GxAdw4m7H7rxfPDhNJamdAXlH6sTqjVI0rNlE/qC5ER3Yl8k1KgNU+1yzSL0q3AXVrvRN/wOHxabm+eLXsy39Mu3HcL9ykZsPpw4wczuNgh8Kt4ZB9QXo+lZTuG60mTRsMcUXYKMr6pVic81AproZPn2R6lu326f7DX3033Jn26vT3u7+7uTg4G45003T5YFl2j+HS6lOfz7koTJ7WMuhqLueGXT+F3zzun0NVKG95UxHfTBl9Uz99h9rxpzEx6d0jUQ7FbYU7y2mWETmiv3Oap96KrT9F78T7IyveEfA+i772wn4pyrMsxfobwSFD+8W+rkSn8CGfAWpcEXVL8cRdU4MWf//uerOYjbJvdSIGFxjuteBTILtZkbM3CenC6y9K1v0Ksvs9LhZJ8KPf98fcC+oq7YifO6owuTEC/gStYf0D5xF//NxXZllQVsqQWZdtznWTC7dx4gVOe+Qt48qqKcvj1xdmrf/pOp7pK8XWCXW8m+LI7HNxdRyMNFpzE0CWAZUjNBj7hfKii0NyFzpOkymJM+CfYa+svqYtWc8FrOSZG+aE77zX9BVi1xBrDyKEFMBwgeAfXEYZKDZZOW1mZlKrrGK5HmC+2isKXrjwfaK03VC0szxQ5NZb3E/ITUxguD92N2IcZLTVcHuauFgvKgLoSa5Wl4CDncR6oq918w3pwkwq9AbIeybhiqZFqYVX3VC0KEwdWoOxhPTLjWcZED9Iy8F8p8kXPKY49cqu46bi4W/91zT+71iNr+LTvE7BMXprM2JXmU4HJ5Bmf2gOG5lalN7NlHK2P70qEnaNJmKwKjOdTNMTcBcTdDUjieLaAhfZX814Aul5twe4AczsM6RvHgjfKPqkg3MX1MKn8ZkibCtyOW9QZ3d7bfyTpMRXqI6byEupfFLDK4e7RzwDZq2iptg7tdSuJHss09hMX09WpJeuNpnnL8kmUaxEyxkCmR8Vb51SUE5qGegG0uvS9YSKTKql5JoNhHNsCR4Xlqu/fXEBniK7OMfPEzsmSD0WawIXgY0m92kT9+6/RaincBEHpJvmkxBY7uZxO7RYHsSenihYznvqKS8HhEY8Kmb6NYDqjSm38fOQlozeMlKJy0nHfLAZfrV7xRkQ1fuVtoZqUwqWpt1cMuplcvXt9+fbdxeXpydXbN28uH7tkJZZObhesfBJH2AUOXwtbgIxLFGVNxEJYATmWqpC19JqHYmYYna9409spnnLnw3hSua3tgjP8fnfaYlJt9DDoAzf86d9++scvB68Ojv7+WNJ6h/AnKH8ndj9B8mEtHzQwBx4KdiOEwBbMMYLTsn1EbA+2h/2B/e9yuH04HBzuDJbPCWjiZ/fnUqrtPSfe+oWRPpYjlhEd+x77OEdc8vd6TZC75IXr/+z7Ess5HhwQ2QJpnVEycO0WAVoE1a4SrJohZa6r0JEbli+wUgYqICjg2irep5zNIBQ/kczdmgVePU65gTqekY7hSyP44h+R/szIGGulu0SGaEE6xTqtrcVHZPYD6dSVg/0w4woMSN90A62hZe0pSH1CZqu9X7em0ijP6KnMv8picsYqVsbA6kDdBiH+Fnr2wzBuAdG0Kgu4/xvN7VQjd1XA7V5hmowAiyjUyWVlY8K9ZRNT6d/20R7RXKRhOH8L4eH2uxRqSzbyiOMaWU/e+AEGD77gejBhAKhlEmS0DqK3BlcFpR8/TkFwZlAuQXTFbeXjmnGZ4jdR8Da09HbXVdEVUgvDrZmcsy2ae8oHTO1wVzjMpyLbydwnCmx1bD1+D7b1Cy0QzP4sr7RM4SNJO9Oeojz3omAqpZrhAVC79oXDNQ+BJHGD9mWlEssnyZ+jA5TF5GvvAmVx+Co7QQHg/87doPJJ8qV2hLKw/Um6QkWofPGdoSJYv/TuUBGoX0OHqAjcr6lLVAz2V9opKkLhC+8WFUH6pXeMsqB+qV2j4j5KSwD379w5qvbiV9Y9qgb719RBqgb4F9xFqgbnF9tJqgbl19FNqhvkL7ejVA3eL7arVA3Kr6WzVCfQX253qbjf0mc6Wr/WDlO1F7+CLlM1eL/gTlMA51febcri8IV3nIqjmg0Tq7RU4YYozNIj7EOal5m/dMwZhc+ZvKfASHBpwwX/jOoofcIPrMmGD743VCXT3zd74OcOY8JsUJFRxM7skEG/sTb9fa0H3uw1HGGtI0+8cPI3RKVKdd0R1vCE8SgwhSv07yNT4LqqGVcaB6QGlg3ovxFoW/egyJe7tfFDh5ACuJJrTtQaPQzqZiEuzpbmt3ShYYGosUvrqA3T+JBjGNLagsAN0NSm2YgFTrxrDVfOEBJWx+P15YuLnq9DTaiguZzK0qWakKMcMlkMQ0fUhVGMzsnG0cnFZi/UIXbbIozqajHCo9AbJlyh/KuEMix5zjLyf54cXR4l5BcpWHJWBWRg5bG5dAnPtVx4X5vDSBc6GsrXZfJW5JJmcb1ncIoIZqDm9tHJBVyy+VoeFdXdXZtU80MyOj58X1Aze2/kewszaNdhVxxqOWdXgUlHSIFR49swsrvTq6rR+I1SVV6o3kqwbUt9wlGzwF30phVLMRStl5oPVw9APErFHWWeE4u06xyT2M+jHl6rxldRwHjdpXrjRYysw49Iy+nKQn3OFZ9TtcA4achT/PHsZPPee9X14WAwrN/+VlHWq4YwjrXqhK59G2oPqWSe7a0IvlcnezhFe1I9o8MVzXrx09HwnmmrWNgVTLy9t3/P1HvDZfw9j5x6b7h959Q6Y2xVTHhxcXJ6eh5NvcSm5WJ1jR7O7NhV+qtXa/D0qDQXnybS3MHbe/s7Bzv1PTznc7bK69ZXZ69O0ZPtAyDi6EC0NeOdTaTyR6Oc1LwRhJTQQManQd7e3iacCppINd3Cch5gcGzNWcZpH/y88efkw8zM81/Pjl4fRYfbhKec5ugV/mfPRTX4K9eE/Gw1wo669FYVwGuGcc56tfRmbJUQ6shGqId+R0uy0nx1nPTKMlJMdi6ITA3NK+6inUl/64P93UGDhT4xaKojZioEO1EoSwrRbfXNv0It+HXjsHGHfOjTWlkXvnYwRua5OKAWybyl0NTm5a1YWZwGpobZCdZB4VaxH/SeU9PqNk8H0mduzvrCa2px4FyvsXzBtOuIyqqZb1kU7fSwqKytu1a8YJ8j1uj4/F09zshQNWWmSsPsjDVaPtCogIzzgopVhdShYQLV22GalvrX8+mDEMvowlr6GA/awOuTwu8LlkSArRrb6NtHIntOq7iFZZCzw684diBgd1O/J34gZvvJTvJ8fzBIhs92h3sPQJHPixV6xtaP0BnmkHK32FDfnJyf4k6z1rWDgvT70BEPHovbchD7S6O4e9RDA4O4OcMyFIRODCSJI8VcKQvlWi2mMmNYIb+SZooKHbKLNBZX9T0bfP+FW9f2gIqpr5umaHDNAPSYnVkPIVdOPaKmpphNuGJsgaUpxrmcbmGt575VLaxs2toeDHe3BsMt8FNwMe270LM+EqfvchUTq7O17elBun8w2El32fPt7aH9kKV07/n+DqXZzn6WTR7AID6i5Qo2wwrVirATPkWaXZwfnb2+TE7/cfoAFF2azarxctN8Cn5rQVy//3B06v1Z8PlNKOB6gSm3yxLg4TdgHS5lO4jd1mCQ1ByEUXAzKgnoJMJKRVyTNfvnWpuFh/s7B7s1QPGYvvqqVbBLVDVACYPSR4s5VOb5bM3wYbXA6NpA3su4goIKDpLNFs+F6gehFNJKq31AhZyzE7LxDjxuqqrcGWXdbVw03HGoyy/jlPuwN3ieUOeW5jco0lZ+q+VyIqN5XcjVxsXR680EbSowskNZgK4kUVqaGVYEpSKrpSLBko5LUzm/3WUvOTv3N+VM98jJ6wsSY0zIBnQi4XmWUpVp55Znc8rz6r02Yb9PGLY9SFK59D0t0B56OKsE4VzlgeKJ7+pIgdjdOH4NfGOBgDzgiISBuC1sXft08PKRn/h0Ro60LhUVKSMXTN0wRY6PHkeEUpiVpd5UBIBZyMbxJnYsbeL37uIxwEelDli2yoU8iSdy63jymHU8/uu7ix5581e/nmci7ZE37/5qNbKoWFiPHL/+6z1rHrbOJ619LlOat8q5Pvni+2m8vHm52VKaLHtYSfF3zm4fg4lUUypcvb0VYxNPpcnGm0/YzGci/VRkaX5VCr4qxbELZ5oTO6NF/d0jcG8w+mPw14ZCDtUVKK2rq60ejk47HxbDxvnCwXnZIxegupy3WPqY5nwileD0QSgKaa7AeFwCp7u8tZd8DtYeWo3N7G3ogAS6NJiiQvOMKSzuxdsZ7tuD7UF/8Kw/3CeDncPh3uHO8/8YDA4HgwdjhS2eVokW1sxdAqXh8/7gAFAaHu4ODrf3HoESlDBOr67ZYuWVgY5axYB8cQIs9wCQ2JFbqL69eNi5ECGVlupmVRvrEqsY3rAotIoRluf2gdT9VKEVlReCxNVw+HEdFUry9zktIgiuTbG3PXwsJdiHQgr20GyjRr4gDhEWMGPgum4sX6jTsQRW+3t7O8881ZftlPUI7D/RNof69tYyd5ZStKq6oCla7Ny01fvtwe7SpSkBZs0Up/lVLbr/qRnXtZXFqapy/bqsuLj7FIQmKKEKfLqImjNO4gbIsPbFjLp6+D3C4yBXdBD6AC8JplZutRBrL4Us7DB0OqOQpara1N3be/HDD8+Pn52c/vBi8Pxg8PxkuH18fPQwaREqXKxcAkbBVRNLyLjkUiizEUmJn1nVCRzvpANR8OieQE8vLsiPkrykYkqOoRqTC/pcJOSCseAtnXIzK8fgKJ3KnIrp1lRujXM53prKYTLc3dIq3cJyTluWMPBPMpV/ebmz86z/cmdvp0V/DNboP1Q+OyP+j7FcdTBdPRhNrDByNpnmckzzoOUJtvSFRwPJP8Iy/UTD1AP/JVimrepkzgWEff3uME0vLv9aqa498vKvF1SQF9bo5DqVkenas+ZLAobq0677F2OV1jB/FCp/tFl610atLeEnY/YF2KANRB+Gy5/ZnnR3uqtVi6IEYzup01NaXLdzP+QhZpXhZnN1nX90f95T1vlHJn3R4hS6+yi1cDHxUKaRVsFeUAHHwqoYVtSCIHEPaa11ASjjUybDK3H9R99BiGErf4zYZukMFMSqMaOF7Ozca3tSudtj1ddlUeQ8lOz6pFL53CxWVUnx2AvI9j2nFEYxWu+riC0imDBXaSsw7kngubyVfVfdKG0FWobZ13U3zK+X1rYqRFZE2Ne10pRusjbAUpkZOQJbgDYABLXlimu5KlofO83o7OINELutMBx1grQqVnTgdK7sMRW0UVXMb9uPgDJl8iouJlKX2FJMuSkzrBmZUwN/tK+i/pus5VKsHZL+s51kf7h7sDPokbWcmrVDsruX7A32ng8PyP/UrwFXmSX0zsoYn/bYiFqigTQ9X2cOm+LICZkqKsqc1lq3mxlbWJnKUJpGV+vH3jBt9IjlCqVvCp3RdA/vSHMplbOZe8HsbXcSRfDyKnkZ1dUeyDk8KeuZYVVGDLpXuLCGt5yDeI/kd/uCfyy1kaKfpbV1KaQ2NF/Vrlo/h+FRfDVTtmAtPLi1wpzQd6HRtChqqBxaoo4ZuRby1rVssajARFKRX87OYwMHWyhWVeBvecbyBR5k3iaCpj/wsU2757uD3aU9popNrRKyQmH1Fma4T1b1/3bcBdOKpJWDp1NY/a1kY1bnue6Wbk9zZLrOjuR31xYsZrJe0FTOjl4fRc91Au4Ooq0jNYUjl279UDIh9dURV+wjLXHbGUlevwtf3N+3CNOMnJpnpVFH90J4RldNCRo1DZ+2RVEm55SvLE02VhBC4Dr8hYSAJqFz5nqLxt3ba+2WBXl5cnRu9/8RNoGvimEi/HE6XEiQWVV0jfOf8ro7r0JKYoYMZsdsha4Un+vYjGkOACXf1XOZYr79yf99j2HiWzp4tq04NWo9ys0t1+654MOMW5DiidoI7YQmfsGbqbyjzo7CXHcY8upkrwcJaZsES/IwpxIk5CjLPFCT0AgGw1PdEOMFyeUtuJR9YH4dRDzxqfewYh0FbBysWUEVlCd0I9P66bWhBb3Gnmo9gs2RZ3Tnam+4vRkQrHK+q3NOMxPSk9tIw8NRWeoSOvPcBLOXEgWhs1bPYQL6zWKwIDkFFaMfrEQ3oJeN/6I7LigYKRCkMvSYy6rELgQRsnvDLeXCmZpkw+ToqS9YjyhmJ8N615tPYAR+7jTKz59B+cckT/4xeZNfSMpkEH3SVSz3os//fW+rLehr1Wy1hTfXudufVmxwoQ0VUbvj0+MLeDf53kuozi60Vl9ut6aCSaWotp/XYaAV1YwWBRMsAx8bqLpVMMGcUV0qrEV3SzU0kRQJ4OrCIuspSDOqsluqWC/U1pljBWHdIycyvcboCkO5ABPIbvz/LMeQzg9dkLNQmPFT9v3dyUpPojxWId2ujkQ8X1c15Kv9esR0WpRJqel0mSMb+slnV3d3qT9nypqUkD4FZwCuHkS0hMbv7h62artun4bu8TXLhxs8DVzvbWxdH6lRFynNLd4TarUlS6FaX/tIyzqEPygxtxLmAR7sxbe6Ff9Cp50bpujUKxqVme1e173QjXwAkA6D8aURpqsYpmVNsIzr60QxmiVxxu5jr/SNNNUFuM8CJhtTWk7ZJnTqsodnyrSelNYw36DTqWLTqLsAQbrTPAfQ9KarcB/KsmDPOJLKPH9gxT1AFXuDrR5XO49h4o9E9/PZIWgxyEkkNr2U98bIXZZIVU0ed0Yabwk7yPq6vstGCSNKRV4z88PZm4ua9QIzYaXY9tgV0NFMYUSwjlzyi+ooUv/m9eWbizfLLsWUyeQLcscDOH8Wl3wdmS/ULY9AfnGu+RisL8Q9b0H64l30Fshvbvov001v1+abq/7JXfWWrF+iuz6C68tw2VuA/vxu+7oTYEWUX//JjR1radGmOjPOwKtyCjW5nTmpOPKQjcAfaPeKYqZUQnt/Muiozjr/iKv7afBxfm7UjeMGYkc60BHNVuOLJJbwSs/KRt9nPVxjzBkVXEwnZW6l5kKWijBxw5WEckrR8Kd+yV2EvcKYc2dtjsaMGqy416RC8REq8KILT/CN8KKZpBl8kjRdFbOQV0fH8bSBAhZxIY2r2Y61q0BQvn1xTJ4Ndreh93E5nUKt4kNyStMZkalhhmy4NmY9ctAf8yqx2tp7m9jt0mm2zstwK8mvIer6n2TGPtCMpXxOc2wCqMmU33jfOaxpZcggn+PEFJq5lcK1ZObCsClTCblAk5LfuAfx2sv51l1n3jDibFHMWMfhuf7r2mDQHwz6e6fw705/e2etR1pf7voG2XffszzN8r2+d59D/JZLG4YdHu3uaFe/E/yDc0l5vQUM799KmkMpqjBmZCeC14+iBuRc/ZW/qNSW5JCuYJU7RexSZtCvyZq69eUz0j7f2ESudX/CplAT/ClcD3c5HeAKSZbg6aR57qcG1oEmKq1O3iCKnszl0EC1oOk1W6pE+HLIuvG+OHS5WN3SKpYyCCX0SH8huK56bQPefxC+UicTOuf5qsLN31wQHJ9seJ1NsWxGTY9kbMyp6JGJYmyssx65RQdZuwAGPtmCu8zzp4P6M5chad0soISuV4ILFamcb6nb9UVTS+VX8l/0prW210wJ9oRUuh8HnC2ADYadoreuUUML8t1kNxn0h8PtvruPbkL/tL6HL2OF44qMjlB3Lek/mvTwESGfaz39fG7vpkwYqXukHJfClPftV6pueWu/rrCmzvo7jdJw5OYZOW8D9Kc2bCoV/x2fkE0kuTCyUkwrY3OsJM3ApGIKKrCCHOON4kr+cc3IROa5vLUjOwOmXlSVbPh4ErZ5SHIsPj+nKVBU8A9VTuRtq+3sGYL05sJaP+vr0NMD7+fAGeNMKReHkXO8f2P19uP2iXGlw4Wr5ISc54xqKCRJSg1OGXvWyIL5PiWQ4olTnR5f9CxVCyULqRnhJvKJucL1bS0c0HzAkbTain8tPl9WYA0HyXA3GdagbXP109gJl663XsNGeCEVOc5lmYVbG3+hhBkZcJXvWvlCRaKcXzMyMtvJnGW8nI8Sy0w384rb2ldG4d6+h61pwh2Wr+AXZ4JUxnkYsctIr9sKZbFkRd67lKoLlkqR6UohmlFNxowJglFr9WXb2d6LwzmMqUVg/nR5eQ5/3x3O8cLHr4WkGfsSduyH/OYgf0qVe9mjmQlNJDxS1tJSuRcxiv1WMv0EsZh+oLHMFo9Rzz/aW+siri7XAJ/ArE2iHxw8uxtEVz15CSB9Waw/5gy/dJY1Lve9+P7E8lySW6lcs4cW3itYlUu4mtf3rc2GBRYc6NjzsuO0Hu7udC/VyuJg14+cv68ZCgtdsGq0Bse+ciGEuZxqHx0S1jLNOTQQsThqKAcF5U2hpCj1baHC03ZFeVaFSaKkw+sYIqToa0NFRlWGYCDRKn/z6B/9twhZ/+ykahQilf3l2AHKpbC/dlRU3N5hu3v7z/rs4Pm4P9zOdvp0d2+/v7u9vz/cHT7bfUBAi1+kOTMzubKFqq0FTnVfN3zFwHPFjT2PICo29HIJfXkx/LweHTH68fRyVB1JoykzvivKj+xyBI4/ax03i9t4Tat+x9Qm/Pmbi8tu6q24ucD6K+7KCga10u7HpvyPKBqipuYlhPLli3rg35hq9Bb4kzpqGBcLqIqaVvFzz4+O8YX+JejIrg0uOZbzgipvdc5jkGkY1Kp/kdIQZltf1yQe1o3qFZIZywvnuc+YYanrCaEYNZqE0GtC5lynUkz4FLpPuU3dXkk+p1O2NeVLF9D1NFZswpRaWQ7wWzd8xYrx1mnJXF9bY5zLaVwPbKsBuy6k0Oyzn+s47bIHewzk13qy34fx3Ue7x/xzn+0O2scd7g7oP1r0OTCeTvZFS/iEws+N2iH98JfHiL+arAujOuXlSWSeI6421JS6I4rh01us1vcNTtQdzLA7qMdEr9a4B7jucqwNwXivGiE5H3tsDZ7Vvrw/Jy8MEOfl+RpniqVSWcUSLhKwpi9+rM9LauY0FOhWzDWHHy+wTSyyhktrmnDFbmme94iSJbT+yCW1myOnImVqM4xabZMPYZuEsWZUZOBBouHOIZVCuOsDQs7c61TbreDGpMQqdXk0TEUCBM6PpZnQUsGtBtEFFdDicBP3dAyHv2jpIEVH2sOnW8o053RVtaYD6+AseNdRrWSV2tfrCAbzq1p5USzLzn2bI9RxgcQcdOAekaVxHxTJ5r9b6wgi0aolEXTe5cZyLy4rTVZmBlb0OjtpEqvG9hW1Ll6/Om/tH0LOTjpOvqVNqRWGOJ7Fa8Hu5oh2SyYz+wj8VaGHaSy/Xro/78lNOmmlDYFNZk+yXE6ncEKxdEYF13PLXP5LMKkt9FGNGDDKq1QlKwCr1fpoulJrOjeul6GpNRMgtHXLqtV+/iiNuW5H6oXO5TRMNGbRkQb5mWRkwcXHku9HNUT8W1VnNOn8mJA85XrE1jG06oVFgmXx+N8HW3ZcGqKoc5qSEcL8/QjSKYXzpp4eXzjyPUFCVOj/uSqtrtXCyhIcGgCA1YO0Si2zW9O/caMZNux9Pa6W6m1Vbf1JxQ3klmqxvm4wAwczTgJ8PZJJWK/QVfU+j8HWDVVbuZxuTUoBnUB04jfaEhIl7m7zpLcCb7wXxWIV4qH9MtQLOAXaOM6VMaXc7YF2BHJDKTC1oFE+u2EKAppNo+QsnN7C5SZPJSQGItvDIHjBAPvGzZtJhquCG2th364U9IUswRtXlCbebWGvW6nkgSHQ+xAVjQvc6v6nzTh3Tc6ZX0kUSaNbqsSoR0ZMKfs/HP6pdA2ad3jrmFLOPxGJ2mnTg/Bk0a5xAChO5E56exa6Vo6om/kyuaUuQQjFGyseJc2p9gFcXHDDXYpgNQPoDs5SoSQttZHz7igDqaa+3wT2R0rGUhptFC2SH/ynGrHQ4QcdvJKcN4OEHxxCY4eI4mhqjRgpF95+czwH4RKIuXM8xrlojf3SQHV3+048VpkM0eSBp8IufN9VUcBfHYdiIq7/e02yY1wguOFTg+9Vk3W/YscFmVD1o25vsMA3yb/oDe0keinSFRaPbJHcTWd3BTq7W1T+CO9wXwgypLKDmFoCfuwdfxeUTtrNmaGQsxLLcpemEp2BKD3n3MRsccOpGybc+GvGyNsXx5rs7W7vWqR3hvu7SQf8yYSmPOdmkazClbAeYegqPxM/Yet4A2zpDeU5HeexInCUWnsbdoqMsLJ2t0XrjoxkKnzAcZV2HIa0727vtBl3e+deGq1QSkSUsid1Hz1iSxOrgQekMD3rwqVQXKrlitA+bKkby+znaTP0I5eYVUNyTQ7I9xVx/iMoC0kYEY7SUMjcvq+gTwNhHwqWurt+H5BNHfc08tOfDztu+nb2usgaAHj4NvrojglK0tI7pqY6u6MFCtRDY8NIYMTaYlW5pzlxJWmASk1n1dnJxWYvVgytZtcC3u3MqbSEd/aS/3GU3Au61TPhMPN6pgVWGy5SE6mzVt+0Go8sUPHLK7hTWaBN3tAtO0FpLXmnTAgLvmrN4Y9mhjBhPVNgKSYA/+QdHBDZFX/g4kdQtNb91JkJjQjy2CfzOvrqI+WyQvx3rXAMOnLn81I4IwAtcHnDlNNQaFWlBsIR/Dhx4Rddc3f4SPfHlJnxo/sAKDdsM0mUCqcmPUGhl8oAWtU2gk76Ua3kaErsgqhueAqabYhacU6GeMmRl7wjPdBuA/l0K2PakLNz3QOHuO7FFeo1mGO3XPlWF5uNKD1U2Z2+jVwRAWm3UgXneig5EMaoucraMRkVWrq2yBE2Y+ZjOiodqSLYLRtXVLKkHME196hjpJ6LS5zQlI2lvB7FoQAjc2tVVzVqhJog+tEN4ZjFlW+MDBXbMOv4t5KpBRfT9p6lfF7jro4L3JZd/5DL23W8vcVbW2xuzJRCR/9Y2i0FJT4asUlnEzJCNsEb5RFGwFiWscaHtf3998olT/fIyO9j9xNqMbyipi7nHYfV/kGNAE64mMXVKoO+fCdq70oVkPXvkbPbAgvE4c6gmtyyPHfyL+BTKGlkKvMqjb4uGqM2QsRImffpVEht7KHoQ7uM9Lxeyf9JXg+57u4cHfVCsQyS8+nMbAXi9XkGRfQ69MHD2Zv/0K93f/qPVz/uvfqvrYPZmfrH+W/p7i9/+33w19pSBNZYgZ9p7cQP7hUDvzWNopMJT5P34q3vHMNCeBVV7PC9IO8Dcd6T7/3F5ntByPfuZhM/czGWpcjwD1ma6C/uOjG7lz74v+KRyfekFMDc78V7AUJ5TovCCh4QU9o7du2B5wyguRTcSOVLrrAPphcP2eHxrQLToCSOJlBhw1LlhrPbnqvpGDJXNXm/5hFei4eWirxfc9ivJffC60ktFSmY4nNmmGrBH4/tUbkf/hrgzWUNE9Xo0YkcLtNaj7xfC4sGf4VFW3PY+mWLCJG8F5V7qfaKczClSmqYNUBEYApoGo+hflyjGyqGFHqFYe2NhgLkjTBzK2EJNagc7tI7TJKg14vmWtaGRTArTMLktRndpuiYy+emx4P60fzFSATEZRVjH0XUu8yQSZnDt2cX5/YAj4f8+/nrcKKGeP9kre11AlrWxMhEqluqMpZdfUp2e9W6GO9gIidk9JO7FSiU/NCOnho+306GyTCpe1U5FXS1XTmgNMS5Pyxeo42/4QX57e1tYmFIpJpuUa35FPIU9JY/XvoIXPuL5MPMzPPNyhy5cMcKKCG5a3Li39Ju8WnOp8IdaKAbv2bmRS5vMWwZPrnsgjAuRDujdl+69IIunNqt8eqEFmIpEt/tf3wdUmIFU/FFL80ydwK7xB/L+V4ducmpcA/HzuJqb0H8jGBqbvns7y+PXiOH/dbnov8bfmEoXg9zTVzpgYQc5VbJi+rKITz+7tBOm/AMyAqf3SUjwB7B1LjHtbpEGBLg0Exk7tIbZAAsGgQp2p17MNhOhr8RJlJa6DJ3IRpGRmIeI2AalvAvjF33yM9cMT2j6jrZDAT/WBCGRSBx2K1oxwDN26EYtXCd1u5eOsoiwmCFzpA3zrJHZO4KurgTnQeGxqwQEagTMeU3TLhkPCwoDRlFznSo6lj5TddE50eI3P6ZT3gN7M6k9vsMni7jxmeyP8a8ce92GDjVLx0mjv8xDOmNnW4jZ7sed+hF8gr06nUXLffm4v9n7+2b28iRPOH/71MgtBcnux+yROrNliIm7mhJbitGlmVR7u7t0QYFVoEkRkWADaAksTf2uz+BxEuhWCWZIllu2c25vRlZIoHMBJDITGT+8hR95AlJjaV2H1bVdYJwwhmeEuEJiqo9dPCebxroJmHyBkIDN1KO6nOKfV2cT7t2b/B1SKxrj6YHXMgNggakzVAmFcFJYKz+08wTnjoPJZPnBqUg21dZMmkgFU8aiE7u9ps0Hk8aiKg4el2X/FQ8I76aKkPn2Gv2yjb7LNIS2DVyCBqvTiSJG2hCxyCWuoSipy5I5Xu+wn6Ey8u/sNtR4NM2Tv0p/N1T4OZBcuYswjlEA7EHMmno2yoz0XcuKsK4CQHvJu8MrUisGm58k6BisgC/OmKzaEFb71tfMQYfRRZ72/maZ5/54jDNzaCYxcRAJllWwenzhcalDH7FkcjY/AJAkg+Uni5ywGWzGOvu3UQ2ILaq/SvwlilTIpM2vGwu2q2JAH5hXAcM5UzRPLxgBza2qR02JCmYEfIMUi7B9i4NraXaufjoixb+V648/P4MXhZwmj7xsGB1uEuOpgOEma/hAKkbPqXfF9LlhJq9IXO7+wl5Axd2VJPhIWgcoY9EAkTcHxnJzMDo5OoMIPqha7n0kcaJ4IBIlod2/DC+04cgJt6RVyo6eUCi3MlRdwWvISTMmV/Mq3Nn3YJYoRE3blSefw8R+iCZ3HjQWjyAZOIvDK0VzYYADMZwCMVNEhodTF3xgws0ItQ1pQRYjAsRMD+uq7mddalmigrcuxWUFmhHeba0AAX4HiEYiCVkXuVvwb68QKJ1KcGz/aWSDH/42oISx99nsUGJoe/ZjAtZ+M6tuRJTZTje1UUkrBZ2iLzulcCHyJ7g7jEdDGUX+QsgFgRyG4t3he2RdWofFRroxEba8zvo+OPvDfThsoHOyFB/Qjt6swK9yPopjXtmmPmbs6+bGqybGqybGqybGqybGqybGqybGqybGqybGsyHwzDT06Bo5+aPgiuMZDh/v/ZQhg8sfK+xDIduvQ5mLIOLUBLiDx/NKLP8vYczHEffczyjwMMPE9BwXH3DiAZlMR+HST+LRTRypAhsRp25Lay2KkUzIIrhB/1KNOP44+9zS3KxBMA8wS+HHqu+xWvqdFNoclOmwEtq3fRmZm+ssOnN6vzioxxd4Mm1dLn78EFYHgtQYJKhFA9vPJdaWwRbC3Jsc7NhkGfv+VdO//Ko5xpDMoWH8NK+LENcDDGjf866hKcDxHgImAB5zoQkJAmh1y1dKRkoRMYTVeHItXuQNtv9ubAQ67Yc9g8vo2nDui3Hui3Hui3Hui3Hui3H99KWYyJ4ksXz4BAvGsizMzxi0MyQKLctsrvHByCC4rTeChgXGLOT2bBX0XSvrX3JqIj9m7tNI2JeKCADb+zqiYvmvLDtQdFEEPeU4ipr8pGmEyKjKrQvV/skQkx5Z/QB9Fci4X8m8D9ggMEPPE0JAISZ6Jz+KU9yq6j9LwSncnxblvA6UMJ+gYHn23Dd6RgzNRPerjy/KyHNb7Xg7syxnOIRkQrqF+C7Ltt09vdf7b9iUwGDCiJBjLPtCqV865rCrE7HjTGDXrAC4VihbOLu+OWACWivXr3YuTj1qtAU4Ht4TCzEFDmzBYdVw34j3LX7ROH2vFo+TjOpiKgzjFR4j7fTPZe8TNRlPX+5PHPEacE7UdutswzN9e6Sq9AxWUy48MA7yaPFdSw8jI+gu60+r/m+hVoefAslwimOyw7VbdYnTWMZzG2yBM57XXdsMAXCg4EBjbKxQgOr8WrAhfFymoowzFRZIyLIyVbZpMJqt6iL8/LsNOK3OsFuPquaMPCfq9awPoZI1ZzwpBkn8f3cZqfnp0Y/xfVam58XW5Q9LxM10h7eou7EG8vLVJzqYyMYAXQZxsc4gbBFyrNkwDOWiGl5x+VfeZq/R4+Zv+Bnfv8V7KNwHFc6QJjQegIsRuNUBW+yOSBRzMcTzFy0jAubuVKwNmeyPUIwJOkR/EcknQBMFBYCM2MsDGiqhQrjQDc3FxykLCEP4JQx+KALMHoycn5Wge1c2/PUl8pmXGpmSaLSZbE6cr51ECjcaS58lzu6hU3svdJufvc83Rbik8Pz9siB1Zt2NuaxvDH6XcaM1wHjrwSMv+No8fetJVYcKv6O48TrIPE6SDxXhfRLjxCHEBh4SMKb/iL41ZMXfG4tPn6/g3UoFU5TkvhCXzero+9UuREkAu0JWWqlodzX8gxRo4iCa0XSP8NRIRfZD20JMWPamtt8LEg0hS4vcWDmLRUSE/GIKhKrTNSlNOxaFaYqrfrD2/3efhF9oJ/RNKk5XrfZsWepcjVBPWkqZqM1frvkx9ztFv+bAB/EY0JpLUcV6n7omAoDZgrhCQDLuSEqACAHu4M35O1Bkuy3+62Dt2/77W1CWq1W/+Dtwf7+2/03b9qtOJn34McjEt/KrK677cgOXxKW4xA8ljsiDJRq1ZW8/7a/s32Q4IO3BztkZ7d1cBC/Sd7iZC/uH8QHu8XnmWDymjg6LlaGAH5aUTt4yj9NCPOQzIIPBR7Du0mK2TCDqCS3W0pCcuyWICnF/ZRskcGAxjSvekc55kDRszTi7MmY13bPn7IEloYN0YjfhwxDywK/orbaL5NENKEcpYGGKe/jtCQX8+sqRsg8nnKCVaXZd6UVImCAVdJXlFxKY8JkbbbRmRneNpfKY6YhZe6wB3pCm1RYGw9C2bsCZGosDDNi6OwLPkbdi+PfkJvujEqlRSBCm0NK2k9JDqEnJ8kDwOfZIeXW67Ke6UxwPCJ+4O2oVaN/UHlFBFPkO4cXDfP6+mVdYDUykiysGy1tqLD3VCbFFmz9rSOSplhsDflWO2pvRwez/YEBfb22gP0HPtYkmyiYnyx8IvGWDdivVOamiu9Wip5oQOFhdbnWZXozzXvfaINnDq6f1ZzC7ZhC093yPbK9vdP+Zs6RC02XbQFIfLT+gbNDwy1merJNJ6ThOtCpES5+xDxq5U8QEJfwYDSHSEzGDZRMbocN1BfkvoGY/sWQjBuIZfDrf2NRPvNiMvcLTb2WmFvQ4ixhN9jt6CB0Cor+wAn6AL18F/EIfjV+ILrgQumtj04eSJyZH19dnLz2rXy+C3P76OJLYRqksBgS5cPE0OWpZH7v785tPRbC97UUkjAo+oRpChkUpjWgBddNEFbwKZoS6PpXDuzQWHCt9dARFxMuilBWX2GzfqvSs5qUzctncnqBw+rsr3Cmx67ZrfKszfhNz2RrP9qJDvZbraj9Zre9Ny9/dDwZYVlbU80cGh+cmzEg4Bts+4sT24OtwxwVqNmEBqLwMRTQhfRfbM65S1wYUDYkYiIoU6hPGeBtw8M0wgNFBLSp1uLyfS5MU9KYJ6QZtrFEFujTubMSjTAUKcSZENpqN8apgSGMR/B2Buj5SmDvDgP1JsL2Vaj9+/v7aEAFIVMCePv9lA+31EgQrJqCmCaEW9ut9u5Wq72lBI5vKRs2xzjV9kjTCKepJ6RsGI3UOC1fVK14/21rJ94lB9vbbf1DEuO9g/0djJOd/SSZu9+666PRg2NQd0mcFuQyGqx70Tk9v4pOfjuZl796kyk9U1UZlc9kbsPr5+uHzom7heHn2Ye8jae5D3iPXYWyMwyCXz39pD1XpNBNUf0grY+zf5SGHozQCcCizhV7x0PPHTccoslWsBWDbrhjA3gXmcqpGzf9hCY3iA8UYUgqPJUuJm2mQlRJkg4QZn51NVcTatSM/qDxx11/AnjsMuTmceXl7JxhXRXKmx0h8NTitoPwsBhmAAjf0MIQysfrIWOpL3maKeL6IOcqckQQ8YZeoOI+4qlWyiaTwEhsIri2pqAQnCp6Vyg3r6zpAr+wT9mWlKONBtpopvq/M0mE/t92K9L/r70/W9Sl5dYDIInnOUwzkQjChspfUW7P6LEhVWI665kUCqCCLgcOKta2wdAc63/1s/iWKIQZTqeSSsQZGvF7P+RYm21+TdC99qe9UlDcrFFwlNBHuE38F8ZG/pj5EakNRxlDQmZyQmPKM+l7WpWX4BnmbEJ6kg4Zhrh0QodEqh5Oh1xQNaorRgo5NPbCQ34ybwhoegprN7NgBu1XL5hpnDbMqBwhz4VtAIF9e1dbueiL6qBJth/SVWhrVQ6fFADqbFVU3jfOyCYntyx1OcLbe/sLip48UPlVoPM+5ynBrEqm78yfwja3dIBwLpawN0HpyGp1trkg5fonyoY19mPS2yWIAs67T6j0H3VNlGY7kenjmg0wuIqmZDUPFJns+LADJ8lbEQuSkjvbhaUz0bvqp09dQMMo74uYjyM9J4keJnEEOfyLilphldV3tXztNSjoAIcMKdUidxo05aYrRiymE8WHAk9GNDbdymV+R4Wj3uGUJiGulHbbRSaVm0+b4HcEZSwH6LU9hd1X86+45OJ8fD/sPZYoY/AURCp66p9cXn667H05v7r80r06Oe5dfvp0teiSZQAHUxdsUNcMX7BEIXPHqLKVBgVmOFMEj2s+9HqKVZ58GA+e36A+BV4h8ydvY9RH+UHPr+DnHfiTzx9++/3tx7edXxYVrb6hFB5P5hDuY49Dx/o8YZaYZ3PfE8lvDnMp6INgHvT1UYIWP3Bblq+I7dZ2u9nS/3fV3j5stw53Wr8vemXA+Zzr6euJG2+zq7hrLhnqiIpzr918OgOURhPjY+Vff+x7zibT/hxcHCQx0EtqRHM7opAGA7BIBRhxbWZwnrqGXNp0I+nUvEYbA8QouLI5vczdDEpxSTFXWxaQr0yHVOG0aGOYp229mYaYMqkKLgfEdaamX1yh5X+lWseFtfiKzn6unMZjzJJeSufCbLmnaRJjr8JWkt5XlPL7LE0dVUhTZTYKuAu2mb9VdrM5m87H85NaX2/GxzNbFqdp7mwE8ofaxJIXsoQXGLqAqAk9MAXynt+8y0TSQfQNXg0+4nikRV54ObDq4OTs/SOvBm/3m/M/HGhO+lNFelwktdXRvptqy4z8kcHrJx88TvwZVSol6IQlFM9tAGge4knWq/EZ8ejiS6Ea91EGTpnyEd/5CBcEtmovuDAXuVdPHpQw9TYm88JlG/g2l5rcTZk/m7l8EuuY5kaFApXWz2iqTMI1hAuTCLLtMPM4nQN8ay4QGzI2rSR43stiLv7JA8Tq5+B8kGKlCCNJFftntrjZDEcSRAzGnanJM9cilDs/h7YRvF5GuF93heovxRcZvbvCblfvzPWU47m96rw7fb0IK4DAWBMT5q3XgDw+dk6eQ6vepTWReowVRuYtOSDUzrsAqYQpMQ3RmFeWUmGFmk+wCskaKNC6szg3Wg/tDXC4fZt0R3RuTz6LbNnDfVoTuV8/b07yZ5RlD+hTdxHJ13hF2Z3y1C31HEq/ucJb4PTZd95V3R1muBXdHa7H5BzEMRJ4naVGYfA44J6/bE2COcAGpg3HI9fQsrzuQfyB6IWyfl5enGFDr/apCgBz9dAGB8Qhh/SnSGb95kwzWkipZERb9Tchx9FPN8873v6L8YhuL6ZACzAwM4nPtCn/yGwkpY/7NKVqCiF6QftZKDZLx0LLDFcAn8yTgfMs8rsjzBhnyA6PYpzGtl1ubtotRfggxbU9C+qN2LV7E04ZTLYYnTVmBZTIDOsLn0elQ/7v8cFAkrpe/EsEm9mWJHnxlFBI9JyLUN8ZISy4eR69Nd6hJXL1UItReUeFynDas/irq7YLS5Ta+Rze63JE15Ec/CjFC+yEIYSDvtHVCpP91Ver4XiBq9V+8RnmyKIHx0rOCcxvqoXorfmQz9D6/GM+woIkvZT2BSQE1kSqs0zNdMhPZ56RIEWAyoChZ/GgSDqoMSfTDY/kdNznNnVRH6vneyVsqWok1zMkiFUj+HrVY1J7v9naa27vXLXeHrb2Dnd2o7d7O/M/KBnUlBqfHx9HGql6cyQzzR6MFjMvkdBmF15E+gHMi6mSMw3EZQgM6EflA3QPoNKF+m4o0IE+S46QZv5+9+XL6XEDdadyzJlL/kM/fzk9lnndN/QJdkm8MHMGrKZT/1Zqeqf5prLwTFrm+ogzqUQWwysatjl16dQOF0oOULJjPtZUTQSOFY2hFHBMFR2Gz/IXp8dIkEwCXP89SVMo+w0ecbGTZux3GAeERTomDYRjwaWcBbdBrs2Jlh6XquKNLd6Od/f2koPBwcHOm725S0nzx5XV7cJvjBzRmUkQLB7eIEFwRmLh886MTGhVs7/npfBdwcsVVea1upjJl7cFg22liBi7poyAYhZVNYjPjQXcN7YCjOnRO/PJ3Cm3iGhQjRhm1ur/wKNcRQlhe+fNvFtHH8BonOzVpL4+Hu+ZKcqTypHHWFz1rN0PnfYT0+bJcTVMvL23/8TUe+154h0LTr3X3n50apkQMk8Wx0JTd49PTi6CqefYd981zM2mu9JM2MB/v8vHBFJmUGxL7U3tuc2KEkjSMU2rCgBntdcEC61C1gncz0vgnqcyI5fsOsX7W6Z4W8GvM73/skzv6hX4jhK+qxlY533Xl/f9iMTX6d8vPv37kZX7cbLAqxlcJ4OvLhn8EQn/aDnhj7C5Tg2vKTW8Wt7rDPGviWudKP4dJIrb1fpx8sUDhr73tPGAle8yezyk/2+cRB6I4aXmkgck/iAp5WWOXnxmeZnkl55gXqb4e8gzL1P9PaWbV1D/nWadlzl54cnnZYJfeg56QPFLTUUPSFxnpC8qse8tMb2Khe8pP72K/hecpl5F7ovNVq8i9vtIWn+S8pebu15F9otNYa8i9nvJZH+K9peb0F6gep3XvpjEvof09iqyX3CWe0jud57sHrDy3eS8O5q/n9R3T/E6A36dAf8XZ8C7vfhSE+HryXV/jmDW2fDzS+ubJsU/k6xvlzb/fMK+YWL984n7hqn3zyXupSXnW+JeYI7+N0rDn19GE/It3vnr7iaTM/M36SuTM/zjdpjJefzRe83knK67zqy7zsyzT374/jOe079jJ5qyHIZzhSeeFQ0+zb1qyy80aQkq6mzir/Ps+kSPr73o5xpik1nqS8n6z+va6NvdlNZgd3t3+5nEgds1h3CfFbOyWaT1Ra1AQSXR6rfFFQyMTo9XIVtLZY36yZIbvih6gs3szdZziabqZcdfvN8AlM5EJvQOhN83TEjOOBK+Xg9Lv0dBZugoyG30pXuHfshB0H8co77g95IIJIkCbUaVJcJFge5J37SPhduaqXSK+ISwIIt83lXIJpry5+3uouNIYs6SogobYa3GCEPZpLRb2jvbzzXY7rnQxkAvoYLEiosVuh2r3zV6c1iCkSd4tvR3VihbIz4mWzilMZlbNj+GR/n3cSV/aB/yb+A8rr1GtPYan94gP7y7+Lf3E1+ig+iJ+/bun5v6JTl33nz7C123GRpegmPmSXqBbtcTJ+/H8cmcVP46j8tR8NL9qfm3wwqcLUedIEMqlZWF7Ud9Gf7u8YbU74FdZBpIg71lLxs/gN4Jxl2w5Bj2F2vXDAWWYXbyyi3RT65QCmZB94IqRWwb7D6WZH8XERbzRBtV+RF8z4VnXJQZbyCZxSN9CrtE/aLNv5MHKFy5JMPPGRFT+7tGEYwAWl3LidnxPE/HgmI0k6J1k056+nc3kUfQ4BNrbPYz5UyGAFmJKGf13hHhKiwAOSLPZvV1+1oPXJ783Ht3et65/E/DOUmcBVuyJ3///C7rHLU6v3x+d9XpdDrwb/Off8xrZ8ASmxvoa5BLMxX8xYU8MrAEpmpXL6M+KGZcVy/khXLhGcYSYZcsXPVNkL9dC7fQESy/pGwYpHHZz/vNAFOiV1qY3d8bINST3y4658e97u+vzbqHyT6eBqpy54YzYse1U9o6cMh6sxPCRtWjf/xydnUKc8HYbrg0Rf2cyjssKFRkpgDTZoZl2ZgIGgOv+c7VYx7/+uny2Gzck597n/W/CqQHuyzYRB4/KCExHeMUCWLzpY3P9YpEQ3Sz0d64qUhN2vzXxtHhtVD4WpCkp9Tkuk/Z9XiKJ5OIPJBnwNrBxipnF68G1UdhlmCRFNfbXKNWWzicDDnLodkS83Ixond1MNDp9wW5o7Be4Hi4KJeer3SNfPjn2cd5Cb4l0xro/UDvSBNuHXpnswT5AFLzS8R2P72/+rVzeXKdO0VOVZ9fXR8Zi8UWPl6fjrUZ856mBJ1AmqHeoJ9gUnl9T5kmVO+7ub0mrEY1sA/IInrsEDhEL1VDDwcnFHR01cJdLy0Qf8wrBHN9TPrZcBhUxn1FQiGdqxTReeA+G3BCe5eXNsh8FOfGEmi1oq2U/+pxU2kzwLeUROmrekwsMtUAx/oixoqgCb3jJktZ8IwlCKMJJYD14ejTeszdXYDxAh+ASyBEg7NxMKlNY4A/YlM0SbH+JGX6hjk56trMU3QVkmCHNhEmTYnVBeMGkgqCVO524gMAn4EpjE1g70YqAuMl9yUtNh9DN1aK0Y3npKMVZCyI8tnlWkKnF67miUgXYnMBPpYQAUnSDcT7kog7IhouVT3fEcom2TZQnFLCVAO5j+pTwojSRnQ04OIei4QkPTqJ0OkATXmG8GRCLL7O6YXT24rn1NPJTQM+qUlS2lwwQgOJYTSkd4RpFpSgdxSn6bSBGNeWvzbB7kfEb3OqYDIMgcT+NEc7DaY6bB9sR61oO2rvucqgZUzpGsO5nTQ1dweWIyLN9uBMC0q4DWctLoN35I5FA2TotUsmjbMJyHG5XO2oWuQjkk70dpJUZTYoC1LVU20KvUUkoKSNcBG5CsKwOcYpleiVQQIjggw4fENvNK1K4TL0BMyPBgLJ+zXKV49vCuB9yFr/KqhkqBb8iTlbXhzh581VQtD7z8fnsoESPsaUmTL7Bvia0lps9ld6k6cUy2fU3tN5knj9h0pcW31+elHJXDHWIGsDYXL7G/CvZhYBfle1CD43/yuy8vdMZlfJXTLu30/cMPoz9rBD2Y17A3FQbxAPsjUpplSGTb3uRNzJCw+146QJsIWOrmgH4ZQIFXDLuAF0AcZyj8puMpgiKCCyo5knEucfGFcqINzuwkOnmx1RyZhKePrShrTgqb7MlL7uZMN9VBMGp+D0uLt1etHN/zCggtzjNNUbmfTdkAHSSPCBTKQWJU02EGGJwX5JiLKFrVpVmKtNEvTq5PjyNZIQS/eFS0TFK9DQOFMjXtce1uaRPsFDzOif9oLkAk0kyRLOpmN31AwRcNThJ61huUGkIklBqcIauh3ndwxo98K+D127rsKiecZF8gw/LsaKDFcauSsebjeBFYs1Hu1QQeElsZ1t7D3lROBlou+qfNO4GrtqUXSUIuOJdr5OAwvujODbub3b2h/Yr8CDL72tw7Lb5XZyqGbyXcrjWyTIHxmRCizFSdZPaYyOz7umMu7D1dVFF22hq7MuYBPymKdy7qulrvLKjuHx9NioLypd1eA9VSNT8Y1kzA3Mj7aNh2Bmeps0j984tVm5cZ61Ydqt9rxySWlMmKzrESZ0s+xM1jI3NtTTmsGLxlStaZcIJwThO0zTygK/zgTHI4K2o7lT7mp9gCKFV1rgE0KBDkJ1vnNx9unon73j825PH4Le1Vl3Xt4EgYebuC4GNy/dBOjL5ZlePfw15PFwrf3qVt4G/q9ajHp4bdGbu9YGWA3c8+amRAmPs7xeuTgbuGv6ZG5u5vuJcZXvooZ2IkKERYxSym6BH5N2YQhMzSOWEUHf+Sb5JWeRvMAIKkcqXd4GYdE9vaUTklAccTHc0v/aWmh5tQVWG/bM+czOlUQ10ISnNJ42jMViLAJIRPS3rna34GQ/6+43Ja9jMu7nUGJ5gM4GT3sXVuX33hvra145ZdkL0f0Q1+HCZzF4GcGVIPM7wThPwWVgMB2+fh0UFWb5Wmi3Wub/zyu7etPWruAUm4y1LSTIHZWzpkOfaK5h70DUxHZyKbMWfYUnn5ABEg5dp27+myecp479nF5kB9mCpX3pgUCW/htD2DsVMWfMLs/AG+rGFUKCDLGAsKwk4LbIRvB5s/59ah5ujT4dpPwe3uVEkntS77lAV0cXdtSGhQ5zZBraYkLv8gwayqiiOEXd/zxHExzfEvVKOsREO6geMKfFPPqYveiNrtmZrIJMpyV5/K9cCzi5QKIctoNDhNL6RwjHKjO4C5JYZH8xRht+vA2tP+BWC4Z1VLAZwqWB/Ld/tt6jVd5aiytMU5lfFnZEQwpgt7OhW+B8ipAPGzLpFiYwfjVwYUcMYM7BOf13xsymgIcvE3W0364aLBct46o05ABUsF5Gk40462ofmeG3HAvFtzUTJsNJgiQZY6ZobJ6hHuCOxQyRB5Oq2CgodSohtDbIUv2xO6rZpX+S/AVaM0qEwoXYm4ubCj/HQDvUbkxmVKi7SEzg1D55SkXTFBETrjPYShAxAF87COKCwAY0Tb1uwpOJ4BNBsSK+pcNSTvfciF4LGVRwGsyVaBfMh7cLWFF43KfDjGcynZpdDt/x2h/ecaUv4k6pVHo1Ty8aCLu4HYSgM0YfkOR6/0QI/WcucZze46k0Af3iVY7vHU3uPNxE9hc3RmRF241p6yp/uk4y114BQuURndxoUm4iQ9ZNAyVkQuBVAHFrSyDOgoikvmZnEoewjAp4i4vkDlmQHDMOwmnKPZU20MEZH/NMWhVh5J7/2hNoNYgd6FWne/66BEsDScY4HuWRKSNKk+VJKm7uvfb+wSzPYXjmJWINzJ+t9CngpDpj72fOhylBZ2dHBSlUJPvMk9v5KILhO0jrASiVAIsTTqLdCEZhlxfo7W4x4ALb+SuULdxBJ4i954inQKXdnJXt11y7OhMEZRDiw2iQ6cvlD63DAdkpGNvE8Fn+fpA7UHhsn/7G2PbWyedIiKB3AQS+R5c2mk2bNkQrEX1/CT7OjVYmaDzSjlzZfRpwHtl/RLH9jpP1kPAopmpaV1OmI6qm1bvyI2dKEJyWyeFMUUZYFWbQSmi6uufN1CRrAb6Pv9hdLgnMvimr6T7vzOsAFJmpScDnhW5XdrIy0VyoEepA9hGuIDJjSkx7VPK6ZH5kpkCn3U8g9BKFR51Hyapra1qSKlf5CDOclCUFN1vJqSuRMyS8FwLnF5EHORtSlSXGBEuxgn+UY/j/jTZSzjYOUfPNTrTf3n2702qgjRSrjUO0uxfttfYO2m/R/2yWiKwxLrf5RRLRdKbUTMwaIyeeBsImimQMaz5AQ4FZlmIR9rVTIzJFMYDYaU+igClnTR5VjANSYYzkmDDzhgQVHCk3qXV9InIkMOet5MaFIS/NgXVNrLiBYqejwsTFcw4QlvqDxqkCH0TbLGOwbYaEO27LGrfPpeKsmcSltZlwqXBa1ynbvIDhjVrDUvKYFvMEPcmFVl+ZNpFza99mpfiUGn0vufjeLeP3DHI5kWbFgLEJ9PvpBQp4QrC1wZS+w2KK7mmiLTi41eyphsdT82NZfge7rd25w9BarIIMKWd1KrBLmOEp/dX8fPQYXTVpMEtTpQL7nJE+Ke8/7dX8yWe7eK3mWnXlNnp8/3DhNYLLdj3tnHeCz1USby+qrY4YwrWMt95lhHHZ61BB5n+2mnyFy+psiDwxasY+fHV6cberd/vpxd3+62JOxBjHdZznj52jamJmgvyM2wC+sSrNSbt8f4TetHa3AX00Gw4BxfkQnWjniceKKPTKhl4b6G2zT3MTVdv4r02PR2sa2afZe47+lU0mRMRYkv9CI/KAXeoxdLmTaEjvXKw1zD9EjnwzsUkGz5jtVUyZIkMiItTN4phISe/sB43rLskEC9clEPsRR9PJiFRo31ar2Wo1907gv3ea2zuFlWJYRUvkymxeCcykDUpBPV0YROljfVGcd658bNLiRVLrneaXH0cTQe+0uj3++PvrYDmLlw6o7pTjBPVxilkM116QUsEFEjzTt+GMY6/5nPC5CuieVagWCgCqhF+uCEx07xk+brFU0Xx7IY+2WLBXXoYliyit2EN1gNBs1RERJOlV+dIrbmxOhyMiVTCpk5GZuwGMTCYk8SRnffOnmTIfK75GUAICw1mvWlslGzO+7IZWUhvhLx7vnm4i14ANC7CMJKZSWyW29TlE+lJ6a8tFTf6EzAYD+uBHhM+8Gik1OdzaMh8xn4i4GL6O0JVJLVXcmFMPdOwf6/pTJOl4kk6Rwrf5uprIYIqlAuWa4j5JpbGcGFeQGmgQkDX3V2fH0t+jGzGPstuNsvp7zNX3Yq9zN/hJYNN7x+CJQInLSgsM9Twd0aQAkoeYTIxD4cMvNhWiuFXsdo8QOmXaQsVC0eA5AZUoAOVh27Tq/2//bjPXvPcCbkaW2sr4GLP8PQEV91UjkIBtiSDLDPVJyu+rt3n1mSiem1C2G/f39xHBUkXjqR3BbAxzMrBUG3kX91PbkNaMMsI5SLbh1ZQ7uWlym21DZv3tSGb9duHwNQqbOCevALBspRCMsdEwZ45xpASmqT4yEyIor2hXqxmY195TfNIDNr6B1iODAYEexXpWu1Es96/I1dnx64Zxmby/lMvdC82ojoZ7bgQloLes2yvBIYnKCnJ2Xj9sUGGsVwn2wfetGUErPqYU85WYTz3C7wv7JpNERPVumTBKl5cU+0znIIcD8cFj1yJm6Oy4c6FVVsdwfOyHCvfKZpk7MsY0rYm5L5oDmKDYRKdAgNaeK8Yu+cbvLJrNTZlfAxBqeiKdLu0TodAJZVIRu7EKEoFH1L9s25k8mtr3nWGythyix7tz2Dwhm0YEDztbLqu9YnsaOmsMnIYrYSYrE1EnDJSVFGgbqNGB8JswNVCFhENTYGXUEkOYcTYd0z+DjHQjQv/PL5IMslQfhhvggibmVRr+obm78SZAzNnArNVskiNLKqwq7fxVbaqvItKsZivZ1YIpZ093t9lu7jW3283t1vbu9u5Be/vN2zfN7f2D7d3tg93WbnN7Z699sLf/5u1+s91qtcpMrC4k+I31YHekvU9m0exTPqTsSVHhiDyqAwVPa8Ob6Lg6StjKMJN7lYDoo6X50QKKW9rHDPdwMqZso4E2BAGrmw17esCvVlWEOXMOgDFImnO/erKolbhvl1KwVPg3U0QCEYo8MzxoN32PJYp5mpIYgI/sb6+gm5odGMr9pjxDA8oScxy9ckj5UFqt4LvuuLmhHNpkIdqTOuBcMa7IIaqg376iS5IOmqapnHXj7Ocs1ln0k4HNsL806JDRTyhPfPaCMF/Q/FsMSfsln2HjEqaghDfm8PSuBZapITcwEqZoooEg986YkunU7YgP/J5ASatyjWOkiQnNQ+84084qV5pnrfu0QnNrok1r4wFyrmbkRFSeE2szfwsrb3L9ClvLdruzabDmjSdvdiNzweQk68XQasBD+hUlZocN5eYLTLjw2ZiztNmEBYPsYblySanm61G+AcvU5Wv9FfL0oKVFdDSLx6izm+RJyl5wjlvHPgWYUlx4CnVJmNRvyuJ5B70w6/oFcCjoy+VpXszn3hpe0cnd7qEJ7wr0Lzq52/8v+Odrk/wmiMki9MMCTsQrkw4nq/ogvdmOtvejVrR9uLe7MzcUNWF3VHA2JnP1oF9Ipqd5WpmpPPMzWjGHupZKJDLGihBFNqoCcGDugyJjoII8Alg4sESvLBSheRlTeEjZsIE+dxrBdXxHUj4ZQ8ETUXH0ulGiT/vuvieayTTSVy12wDWOqjziYE9ZDlJm7GSvNLUaC2o3ZRD31twFk5eXOGdp7tWdjMiYCJzW2MDvxM1RMu2CE/OKDgACiDxQqbfvzHGhCWLaVk3TqcUfla7JnCAAKChNB78bJ2BtBCecSK39y5J6i3cHe63WoCCMWqzaiv6FvkIAtnG+JU4Hszs95uOJoDIw/fnAgF0wnhCbfVFgOdcrfsuA4QCBm4TICsHar5SaD4bEWASuMb7V97pCEy4l7RuQPG+n5KEoba/ojTwmStDY2C4A8DRjvRQhI7ThBAHjOEuxAHr9kGRMFSS05gaj/9s5VzaxmhpsC0bMlS0Jyb9gT1KBDIhl84LY8/MfpHCbimnjzGKFbvT3rGelHS34p5Y+mNm4Ioia7Lwhe6Q/IC1M9uPdgzfbSZ8cDFrtN7u4vb/zpt9/u737ZrBf2I815SwUYhJus5nM9ydvLVLK2LS71J9MsPMBGMTuF5ym/N4sv+9zH2xmr/RAqiIDLAEfDweUiaKXbCwFV4/g9Cy8d+YnhPkwf3hDWNMFS+DgJMVS0dgibxROkXOYw8i5eWjMpPJJ2igICr8jWMmqQUxo1Sph6Lw58SiG/qN6IW9y196gyAz0wTBvM0Hf0orgfMhH0x634ibiCak1H83tJuy3BEw5o2eCnaDuudFF4QUZXtvMps/7v8ExDUouQ1xPSK8CQ9vAmzSCRXCse7WYp5P1XbdVP6i9TjxlDuLGjTbfXppRyQEJ5R01Q4D+rFnzoP6uuFHtHow0CXp6WWEg6UuPbW7mYQWA8rZ2O7ziAXN+tsbMqx4XjkgLABKCjueRDA4nmrJhRuXIr1p+KOFI6/sCZZPCVW/vOS41qSgMOFk8RysXBlYw5C14lVC2rSp3Ta5g3O55jZpGK3gZW6bGmJmiLUkqzAQ3X7Nl/9Muamjrya19jtX6HFasa9fjR3Y93CKvPZDniGvto6x9lJfgo8y/Y9dezNqLWdiLecY2W/s5az9n7ees1s+Z//jJAFx3pSWCBrEZwfgz0pgbmNPSWBM+OjwTO/ykZ99G8MWZtl7GLq94Ay7YK95SKDxCGk6CSU7cIp8OzCBc+DGwIDPUzZ7yRxT8vbPgbgq6++Yruv2ZC1aJ37OaNful2GrOLZl7t5/Dm7aaXnGUcn6LsL4aDR4oUebZdObFPuhu5++Qsrx2ou1o7jaLf92p8+kt5rV4HQFZbQTEinUdAfmRIyBukdcRkOeIax0BWUdAvpMIiN2x6wjIOgJSZwTEbbN1BGQdAVlHQL55BMQevxcdAbE0riMg30sExC7YOgLyNTmtd/RL2NFPIm7/TfarD8rlESJXbpT/5olqI/MpV6jj2hqVoJ6RJKbOZBCgdTuo4y0DuBIUeMhC06QAe1lvDFyEg25YvJYQwB1AL62ZEIKhGKoKRITQ2HkPv5CpAF/6K8jSIZ6NhZfOeXoMQDmYJeZM0gRQHbTMtGuRUkbCZsAGJdiO2nfQy1BTzIp8y8cmdGIoCtPt9RAp/DSodTOhJz+2izlYyAuHJGmwr11Vk3dYoIzONJOr/pyTgufSwMZ5cX9fONJW7msc6TWO9BpH+i/FkTYn0bVqz5XgCwSTNqSuwaRXL/I1mPQaTHoNJr0Gk16DSa/BpNdg0msw6e8TTNrYhy8ETBqIWYNJvxgwabs7vgKirLUyRF7y6497fOVKIOWgtxtSAkNskQ1fPLD0o+KIlpTHCwSWnt/F/Ybo0lY/oJeELm0EtUaXXqNLr9Gl1+jSa3TpNbr0Gl16jS69Rpdeo0uv0aXX6NJrdOk1uvTfBl1ajQTBRso22+sq/83j2V4b702Wjj6mKZaSDqauAAaK0FIi9I9xzEXiDCs7F1L4gTM+nl5bCq+9UaQZ/nh6dXmCOldX/+fon9cPnRM0EHhMtE0VXbNSQpjWBprfAiX5wJYOk9/kvRwqbAjAxcROj7sNdP7z+19trZ7La8co5uOx1tKW5CgfGuLLwFCkcKxoHP0UEjYmmEEjf5cIp2wswhrFrtU+4oN8TOXHtIRdb9DxBMfqeuN1VJiRxCNQCE9Pmo9sUnBuKYMoB9i4OB55fOj+1D1TKZN/aOZpwLrFMR9PUirhzSYfcshx6skkLIEXRpQQprWn9tNMwqEmfeN/oSVTtvKEgnnOo0EGrzx1xhPQMsjfoyhLtEvNhUS8/28SK2nnc6Fjm12IWVIw/gMgaYhcuyEpZ1tBBsS8/mHAY+RJmoNbQ3MVt5/gL0H64yNcV3C7HNXR3ymZaxkhvfTsr+USvBaWjLPE4rrs3Y28bvy6p9Va746whIsmI5kS8GbtKLjuCQCjv+5lEv4n0IJaD55zRrbO+P3WR5LQbLz1gQ5H1z0Z4zRP9aQMdSaQEfmAOu5q716d/oa2o3Z4wwXj/mII8tncOUUIBvfNEEz+FZYozqTiY5dvfM1OHiagzcNR7+z7uiCH1wyhnyCzoOsq+9yvGDE/nfF784PhzfysGdyYXXnzgeVWPVihmpb92KVhmKvWFkiYJGct4CSL3dtiftnOsnp6gR4i+H+QtG8aJkD+SUrviHBqtMOGKRHo5J9LqlIIXdSMUBGgKHgzzVNgn0cLIRT0ioq824XfX3xg/XjK2euS4CYjKkf/bzb+v7BgBjQlEYYXWjKPB5/kBW5F5/MMnje00Q2BdJoaLA43dGUROOMKLEr9aXO/SHRLyAQpgeNbs6v012Hc6CvG+HycKlu4XB9MiXNJQAT5fIEAOv6X9qkgz6rpT5GPYKAPRJDNTQnlm6xJHkY4kxCaceaX0UOBOaXtJ0EQsTrL5KW7pJ9DhEU8onekYdAKYF0aecyogQiLxXSiSJIH/ckDiTNFGmhEk4SwBhIEJ+a/9TXXsHZBA90LqioKYzb/teE+qx0s8+mvOlZzrWXME9KTdMiwNtOjhA6JVD2cDrmgajSua4HhPRRLsPT8ZL7ES9NjQuiCxxAm9aKcCciHBbWeCyjx1T4T7B4qkc2m8E84UMeQB1CmQUm1/qQA8A0b08+BV4xscnLL6yRHeHtv7nLX+VfF4Ih8JQjS5zwlmFWJ+535U+gEUqjEcjNoIdmElrKHr92hGraa/omyYY1YLXqTBWGqeXdX0KqogA0S4NlADfQAx5oRk3yDJB+oe603jPkWBWMSB2IgkSApubOucWei9+JPn7pQMlf1/jKO9JwkepjE0UTwh2kNq6CwyuqEm6L6x9kopi/Bi4mwFVsEGVKqV2OQmTeslA+HkI2uVSwfCjwZ0RgRIbTz6LM5w1HvcEqTMLuWC+3gS+XmQ2cE3xGUsaCObuDytOCr+VdcPnk+vh9W39MZi0ckvq3CpTi5vPx02ftyfnX5pXt1cty7/PTpqobVzMDPriuvsmuGL9SIQKarUZslS5zGgutzgY64mHCBn9VQZ26mFcHjmrWInmKVqgTG48LqClsW6xSIxb8Kep75QZ+pQU4+f/jt97cf33Z+qUHq+g5VeDxPxuBj9u6xPqCYJcbkvfeVmG5LmbtJn6whYcRkOkJ9Jtzn5Ztqu7Xdbrb0/121tw/brcOd1u813FygC+Yy9J+4kze7igvn/gX6qELHoHhUzHf5RSsm05cu//pj33POuYmdQuCqYYQ+orkRVMhEcb3qco2obSTOU4tRgm1nQQTqzlhPRpmWTdearAfQzUuuQLVZZJ6Ah1ThtGggaY8aMqLwEFMWFK5BXTRl2vWAQGwBravydsGFZfrK1bE6EWpvejkH9b22qGEcfY+DRzmvTwrFv2aLFr6/Es70SCt2vHOv04JCYFNiA/AA1a64A/OzcWEYxu4I455mE00BuhnrqW4sJhjV55JIdANcBDAS+hsQVfs36Bv3KAeOiv5oA0nKYj8cJCmwnG6fj6cltAopJySA0lh9QMyiUJhmoUEacchGyeNK8CoYc957Xbz5LJAce8r5pvYtIUKnvq7d5nkaTSTCqJapzmxY/zavTCrJZWvEx2QLp/l6LSUfTUTPTL6siCqP3zEU99ra0ydkdJUXX1FprilnD+X2PUO/UpbwezlTC2KiBjl2gK/XMNeh1lmh5GOeVpWwLfmeAPIk6SCCMJIi4ELWtO0+4ngEUB3BVO40nZy9rz5RD2/3m/tzowZ9hcn+VJEeF8ny2+YRFt9NteNI/sjgNYIPHufrjCqVEnTCEopX4YRo9uJJ1ivjJq2MuaOLLwXopEd5O2WKpKviyV7OvaSEwvasK/XkQQkM8VNQVh5B1ReJ6Bk3pb9YI3RqiLHhu9znUWAg9TOaKoO0N57Q1GrM2OEP9wka4FtjqY5xCo4UsMKFXPLZw4uGPEy4mOvZf5BipQirfvk/s4FnMxxJEEkJwDCbODaY5tMJWRnZI4ITIiLcp71KVKmV7dcZYCm9XTtBzOydMZHhHXuAY4Jedd6dvl4xl5B5UxN/H2AKk9zz2JlcERtBy/uVGyPailVYn8WABzvvarkgTIlpWO+/sgI7uxT5BDWvh8lsqfn8bG60HtobBj3awZs4fuRKLPiQI9nDfVoTJ18/9m69zijLHtCn7orXq8Zb2W69py7mFTHxzbX1apUAHa/0ujTD1X9dSltbPAfdj2f3bXYYwvCIHaa8MZshZ8pxcDxCdrLyRip4LrdkaiNvufdin+ssapokPmEwBHbrT5HM+k2Th+OHhIJARrAaoZuQ4+inm5VpGT9mPKLbi2n/Qtpe0TAe0ab8I7PB8j7u05SqaY6oXkC3jMPC45WxpW8ePpknYPAszrojzBhnyA6PYpzGWWrrDXx5dU08DVI8rMt20ju7azc7nGiYbOUs1FiYUuIgzDtcGQMOhKfHBwNJ6mpWU+LFzFYfN5L+Oc+6PAdbr8SDxy/Sk62clRotihInBqR4xQzcUaEynPbmz997lkVeYsLOVyx1rIGfxbfWAsysdmsNly8jmN/QgMn+akPDcLxaQ8OO+Qy7bdFDaoXqZOm34qpZqVnXzLCxUm0zwoIkvZT2BRa0tgRR5xOY6ZCfrlhDlPO6KvYUSQc1Fp+64ZGcjvs8NfWn+giv1MHU1NYZxYA3Yj9LA5GHOM0Sl6yQEgw/J7y6p5XPAoHHH8g0KsBv+IEleuUSuBUW0fDP1w14EfJjelQE6APg9Zl96k/Qq43hnxsNePfZMCNsVPQdnAQ3xOJCH3Bxu+Kq/plrQO+TW3gCznPuTH/HGbhDHLzK++PhhfaJmZBMI+jR6If2aU/wlD87UWl0P6idBXXsy7pBA9fLipXeEHaNYBpXlw5DWvgW80CXz+cH1t8w1SeQIlvk4/zqfbdhNAG8jOOUD3kGr/OYoU4KaFuKmIBoVwmCx+hV57j72qXHELfkflTT5MB81JR/uyfKf2dSaW8tJQn638edq06EfueMRKd50phpcDeGV8tCY6D+1L1YQuYApO3btAGJEn7PUo4dsHGxFAx1GOocd+HB3OGB5VK37+ZcjA/RzdHh9QSr0bXi15pmcF78WTqUfEx6fpPeGAnczPzWj2zf582DamguuCQXdJN/K0I35Qldeyk/ZPBNfV5CKkpfmv1w/gHImct3R5am0Fe0YT+of75pmMSK8KkXNl6AzBAc/3ARA5d9cU0wrC1T8ULQMRZTi+hweoxe/Xx6/PrJ9InNdqvVXoUlltfS1s1XmHtaydOqkh705RuNk72auPp4vAf3+yqudBhHjnC7Jlq7HzrtlRObV0rUQO723v7KCd5rzxPIXJDgvfb2igmWCSF1Hclu9/jk5GJlBFNWwiZeXUEhK0HZ56lFuaXpehzMKsjtvf2dtzurUJFjOiZ1Zot8PP14Yl6lXBpZmHFu8W8DxYm4cKYMHxTCbAhBfTEaKTWRh1tb9/f3EcUMR1wMt7CUdGi6T2+NSUJxE15fwp+jh5Eap/867fiWANoYGdCY4tS81fxXw2Z5ubSQCP2q7f6xSRHFDOxBYIZKV3jTt4BufswxlyrvMRWy7jBxVrFs9W3NjwASPijsRx4rnObbtRo1dbO1v9tayZ5cMm+2Im3W57tqp40npk3rCkj9RpBTdh1CjzVwZbWL40qXfNJoaXmcW7oa15Hfs9rS58BVhwk2wbsTlVgKq7KotPm9OkZWjyrx3vkLYQJ3Y2Y3+LBERcZuIfSQBDmtz8vY3VrtBpqQb5FsenTxpZhoahpven++Otl0JZmmEyjhn2BWV/72qUfmNtOUnJCGa8QLSfo2Q7FpyiNmWK6rKG5CvgFqhRfETIeTBeRwgcM2MEvxrf+35tQsz/hdMWvmmUzvRzvRwX6rFbXf7Lb3VsM9HU/qxEPsmCi05dfm9ADgIbo4MacadRiyVKBmE4Ci4WMooAvpv8x0ch1QNiRiIihTpn4KoI/utKIcKCKQIEaYtp2j66QZ84Q0gc9c3wrMpK8vlqZ/N4/jTAiSNCzmmGnLamp0rKUpsA9hAvUGC6JYvSWsWYpVwSAeUEHIFDTPVj/lwy0DVtLUdpvWg1vbrfbuVqu9BfE8yoZNm5bcNMJpWviDSNvKFb0a4v23rZ14lxxsb7f1D0mM9w72dzBOdvaTZLCavePSDHtwhGo0sfz5WUZzdi86p+dX0clvJ6vh3hba1s2ynWYZ1jf8rQFAhDZaDD9/mhCDCoW6BhZkBbJ5/pN6xQuQHkTrCfAsC5H5oGrH2EUmOqsHhSK2Df3PCkDq9v7O21XYC8Yy6b10c/TKGFBgkGorSk7HKWW3K3lurjEOAYsPzvgrs8sTKqB7gKW/jMakP7YCnrLaIutXDn789Bi9+gJBdYEkiTNB1TTEBXjVnYm4G+eqvrj7w17rIML2KYveGR1e+6u7hYEI5rXJuK+6nfPXkXGoIdDjAZmqIDNwpkYcRAiwxkFFNGyffqbyBzOHjJw3oSKygY7PuyjkGKFXtsFaEmORSPuUVwAMyzOF8+X4KbKd2KOYr2xZqJQZEZFhoc7L1a2LhYiFe+bV0TlsRE0EAKYE0vVyLwnCtsOHCDqg66GOlJnALCaoa5piH83d5nNu+UCzu9plY7rrvTp6DQaknGX9S3fFfAXQVCSpc/mPw4ns6h8vsvpH//jSbaBP/3C74JTFDfTpyz+gcUqOlddAR+f/eGKn+LNY146BdpU5pE9dW8ZN43Tb2euSRao3ldZKv1Byv2ImQzzWmhkNp5Lo1aclFMcpi2uUA057GaN1GexV4sAp0jNqqXxZQCwzJ2fFopEKQ3l1D/yI+iBq/b2v59Omj5vP3/pXDdQFG++idEaOcEoHXDC6CqAG4J5x1YMAwRzsPvZwcUXH4NGbyMAsbg6ViHFwbyDcwCRNoPEUgM6UFnm7td1qtt402/uotXPY3jvcOfj/Wq3D1tyNWudhuE8GfK7Y7cIcD6iQah5u2wfN1lvgtn242zrc3lstt6YnUu+WTGuHoeyUkCcdzlTYwOmWlA/2ZXdll1rAb5yJu7oOsfZhYPwgR5Ygkqb6A7H9U85xAHMJqBv+UqcyAOx0j68l+TAq1WRvu12DkMjDhDPy3JLiGWwCM4Rf9oTAY83MonsMtzkY3t/b23njFoQl5GGmMQiPeya4ONswZHWCWTJqA00J6Z8+RBXsBTnBsYnlUFX2nrZbu29XxY4kguK0Nzdi/xINbMxUDosfrlR/LKpvd2j2BApSKsLiaQ7w65qrm4xI2DGTEWYZtGtuIBrWU5gwtUvH5eDkptrw0p6qx6TxQ8cjDDgaoiz4vb33794dHL05Pnn3vnXwtnVw3N4+OuqsTDN59LPaFfFpsS9VARXUQ7AFGulXYh4HxkTLTIa98IxJMuAZA+Tmnzk6w2yIjgAw1FYKTCPUJcSH84dUjbI+RPKHPMVsuDXkW/2U97eGvB21d7ekiLcM4uiWFgz8VzTk/3G2s/Omebazt1NuewQpaM0VXhM26PLXhBOkjyc4MmYZNpUY0TDlfZx6m5eRVTzxzfD/V4QL6osWOL5eQrighMhrA336cD4aL+he/SO38Rvo7B9dzNB7gVlMZcyDeEJDe4cRRA++2W55MaGCglBWzeVfHSt4TCkUFr5Opl9AYGBGBitj82/q5Ns8i3otwQACRU9qTbPSNt5ZlikhVU8SMs/ZfNR9NyVRs3DJlCntwg1NMx5brQWOvOnCRwAseaSK3YK1V+PJm+V2E+IZ7XaztXfVfnO4vXe4+yZqtZZGUh4SHsVUTesCJz9y+recOMCZEgQviZAH9HOmqPYce3EpLXglTFzd86aFwYxLeet+9k1Zzej5ktZmkcWa1um8AB5vJyuzwoUaoQ44UEsqFcMV2HM9KnldS3dkTcbT7idYu7K5tJLVMXzUdYYsD5W76wgzvCzcruYB0FxLlkqJ/iHhvRA7rnhbcTakKkuMPkyxgn+Uddl/o42Us41D1HyzE+23d9/utBpoI8Vq4xDt7kV7rb2D9lv0PytQbXUW936RRDQd1MJM6iVGTp4NBxBt+nryARoKzLIUi7D9hRqRKYqx9qf7PAtLZo9chEKPESQrUWHqXmPCFBHSNNUfpJwLGzxp+PhH4rqa+UENeWkOzmJ8iQaKvblcLAPPC1lNdI4yaKQ4hgLmIeGO23J6UJ9LxVkzWfIFSi/mhEuF07o0xeYFDG80/Gx5Niyg47EA+Q/d8vIMcptZ7QGRx3jqoVBvGb9n0C0NaVZgIi7Q76cXoTeLkE2WsH2z7mlC0qkpM3YOMHS/hh/LAj/Ybe0uGfbXwhZkqC29GlXzJczwlGZufl4S1zlgpCbdbJmoVM2fM9InK9j32rD8k7NaLBvXTlqP7+7/XHW5xsunnfNO8LlKbq1VsNURQ7CM8Na7jDAuex0qAqyohaRA5ymZ9B96duvCPH2p2LcQ8YE/lE/0LWxH29FOtGQOZIq/qTsCEBwvzhsZY3FL2TBSaV01shtXAg8GNEZnmmV0IbjiMU8hUqqteUuBjNClC2WbR9e8K2rYLhX9hH79cHp1Yjqf/nx5cnJufux8fHdyaX68PDkutUP9dUTVkq9Nroyvh+eJsKxqy7hZw85hXh7+7vv2O0dv5DnE8Ngz29e1BKCe+B7RC2iJ3d0lIxY2L72usMtV0b7M2d+ULiW+vJyp+LOXiXSEsyU1vCDQz7G2QNqlGx99uTxDKWW3UDrIQ7ycqmZ4T25m91Rly9SDnKIt/6WtVqvV3t5Z8nbQRozU5h6A8odl4St3az45kGuYBZqfKsKMGdzHkuzvIsJinmg9nVvC77nwcDmOWMRNFQRnMjclukSB1XzyACrnkgw/Z0RM7e8axf5XMYdzxlni2/dYBCKtoOBh+Cad9PTvbvLEAD6xC9rPlNu6QWNRE8gRJOZ3RDiUWmhglqPr+bZQWqVdnvzce3d63rn8T8O5vxAqgGk+v8s6R63OL5/fXXU6nQ782/znH6vcAQYk8WvNR13GdeU6H7mScK3v9SrrA2HGddDNXmYXXh7GYDLYhlXfhOWxS+VJht0hKRumuZNjP+/3iklMf6Vl3f29ATI/+e2ic37c6/7+2gJG5QuU00BVXswGkGIwrp3StiCRJoQOE8I+1qN//HJ2dQpzwdhuOOju5Ee8w4ICKH9K2FCNzLA2gwB4zTe2HvP410+Xx2Zfn/zc+6z/VSA92ITBHvMeZkJiOi4BDaBXJBqim432xk0FEtrmvzaODq+FwteCJD2lJtd9yq7HUzyZROSBLN2PuLjvyhUqq2lhqTBLsEiK28HgZFpd47G3ZgVgdsyKmBzR2VSvlfDX6fcFuTPxBLhjXf21nq90rXz459nHFfFzS6Y1sPOB3pGmIKkpMoFSKD4AmNJyysWn91e/di5PrvNaOXdNnF9dH2VCEKbsi8/16RgPiSlVOoHm3Hr3f4JJ5fU9ZZpQvalXJJxyqdlKpPM+BzjLQQpMc3JI4WP2+qha9uul5eVVTIXcro9JPxsOl0VM8wIM2ajrMcIkb1krpLS9VsOQjDFjRPSkwnMB/z7mRUCgXhPe+WXr5PjSNpJ12L0ZNPwfZGk6RQlRpo39GKc0pjyTYb0dtEP+cnlW9iGW5NO6+cvweG48IL06dAydUkMTGQBmeF8ScUcSrbKTLLboTuBTQY/SqqyV7SVDljWWTm5c2aYiBYfQ39HGDD2aaql8As7BYKAMda9Of0PbUSsKIwblsMKhCRPgTHHGxzyTTeNP2F8LRQc4VuZfHt6mFIZI+BhT1tQyMh+F8romThJh/q33l/mJTu52gz/Qyd2+/efMmGMcB58bZ4o8mB+1L2x/Mi2WzT9cs2Tzr0yk1wyFQ/4E9ZpNHEPw2nzq3mi3plMqzVsyNX952GsdNIPEp1IQxfOx3NbJRBoZ6dXlUh3D6E6jZSLNrcYNKEbxZY4bgdF9ypDkY4JiLCEsoR3XMZ4icJUtXurphb5Ptrgw4QmzPdJpjomEUYE15EBymDm4ptEioJfmMVADyTDkzo6/MUPcmCeNkELDkCbMVoJqOlOqiMApOr242/djEhan3Ka43/zrxmCI/tcNenV6cvUeXb4/8oNuv9nZfm1oCj+YZ9w6N8A9q3joYAsc58jNw1JAdslyLkp++T1UO4Sz7zyeS9tXNPvJczxa361KaDco6IwMG3Ae/Oer8uiuwackCtEBospg/MqG3syMK0TuiJjqKQyS8Mz3ZwZ3006IoDxB40yaLsV9h/ZFEuNyEZezlpsE8OE+QRsTNtzIk74BODrSv/t7AFnrnTcQGEDj69p4FwbwOVBgFgsGjtt/3ATqTPHJxswi3/zHjandUmiCRY52aIletucACCBL0zmYn4mHrB4c4nRg4I2/XJ6ZTgwGVQYzpXXplGdC34C51p0GGwfgu/MIAWXoxrF2A0hlALOjCr12BYk5k0pkYEtCemDYFgJge3I2TBz/0ShmUR8e7u7ubBnQnP/7xz/s782//0PxyfJr5tTTS1i3zS/MP2x4tQnbXCJJ4D0kl6eXY4V6oQwxou65uEVjzqjigrKh0VreKnb3eJ9o9Wi3i4XexDLcABg8BpTyoc3v0F/VGnigCDPg5qEZap4psBoVDmC4X8bEbkX/NT8slq6nqyO0Aeg3KTGJp4yrsvZaaOvo0R758/K7aoKlDBTcylGv7fBOidmrdcn8YkP4XLg3T4V0L2wgJiAs0MxW5BuroPXZj21fb+6j75hHid/dLRfzLP2epjn5IyO1Va2AvQYT2APo87CASfMXG5WuYtyfYb16MweldMf+X7hjjVEXNiUIZ4n0/YSL5jrj+rugXUQefjCl1gHtkbX1hamjg/n6mfKfagSTGWaNWehHNG0oGCLjicrpAdLNJ2/st2fQ6BI6gIc7BclVfaLuSdCFWk+q7rlxkVZhSBgvlAiS9Op1Ca8g+DscEdDhblK4c8zEDRDSZEK8rpFZ3/xp5tmtYBsHY5kPQ6h5Y8B5+Dy5AYBe4S9mrwxjY9vFSIgiYgx5jhNBYipJOnWNRVIqFUrpbaFOV2aDAX3wI8JnXunL4nBry3zEfCLiYvg6Qldi6l5jJxPBH+jYFHtTCS2s6HiSTpHCt8UMFWt+6/VPcZ+k0rzeaDsTLuB7kqbA/dXZscz1YMyj7LYCx2xliBB6H8l4ROrLPO3C6I+reriWZ/0f88J/c1hpjBt6H7ngVyAOt3XrPE5+EtegxiTimoDrHxlOjX1nPwOun3Uyg8TYNHUiMQU25CEmE2MljbhtL2k6qM0cN6svIojbYBAuLTR+maUAinaomcsoT/i77c/ss4XBVdJGIswcY8Z4buAWzmYjkEAejpllqE9Sfl+tKqr1SlH3hLI1sSssVTSe2hHM4TLaBUvljQ0fK7KjFHxu4FXaci2v/dxmlll/W2+gdkGBNQqKICfPXD7Wq3LwZPkYGyYypu8tJTBN8+BDhULAcsnKR731FZ/0gMFvcKGQwcCmJGkz22whK5dX5Ors+HXDBM18InK+IrmTCIq54boJgYoNNUVwfCpCM7Pz5jG4/JN6/WCHfN/3Dtw5j105+UrMd/nA75ffbA4svqZN9sUOv1rvZ42W+NLQEtdAiXOK5ofASFzDI9YAj/ijIyOuQRHXeIhflcrfCiXh74SC+LcBQPwbYR+uYQ+fJ5814mFZJt8v2OEa5/Bl4ByuIQ5fBsTh3xjd8AcENlxjGta5R16Mf79COMO/G5Lhjw9i+PfFL/wxoAshjZEkEVZ8TOO67SHz+mfmCgpfjIkJqY6WHo8lRdgdFZyNw4xTwhIo1YYEQpsXCTmUJZH0cdL0b8gLhaCcfODD30Y85rHZXmclWVVJKZCMl9YzpARInNDfX47w9t7+MnKqrS/bjJB6NClBSmg/NLO8a8p8U+9qrgcHO5iQvebbfdxu7uL9drPfIvvNVpzEO+2dpNXuL9S11UtC+8nfShh6rmXlQVPSJ1g130atqNXcbm23o9ZetL3TbLVarfZCcQ4nixrr6GZEoWxVHcxsDkuMTSDEZ1orKPAxdAa58b5gfkjvIDnbinFWUP4PPZMDLrL5WxoOBB4TfRRrkkZY42qLI/2UeS/eTJjmulgR7YP+aXB64hRLSQfFWhSFY0Vjg+ND4pEJM/iHegv0ZGaKtJVop7Jj0bgI5WMzMHwv1L6rWQWsB6hPlA1E9H1gcCEUomxIpIKyULjQBVGCO5CcsHAGD4eGPVjkcmTh4+nV5QnqXF39n6N/FtZkKHg2iXBKcV3pARtXWpPrCV4R6T0VmBcCBBgKn/gAQfU71JwpkcGd70pbw4JH2NXY9DSOb40YceGh2xYW+LaV+m/a+ptG1+zXEdQocRUOKcgfGYX+yVOewTJlkiBcEBq0oDVEe16iUvnk5r/Qxkc8JDEWCv0Mn97fQPPjRZjVqO0agaXI745nrQEIPpTa8muQCz4cd641oElZ+D+3Wj5OO6eka/TUN2bBn77jHQ+ZaSV5vz89n9taMuKuG5EKZC4KsFTPEH5hc4e7fnHh50NWbPr5ZF9gp7wILu6JlcLxbTSmShDtbG/Bt+UWHIqteZcpd/CwjOZ26x57e7BxeRuQxymAYJprCqx7X51vbz9TvJD/2gvP/NkjxXW656+1P/9HRtKgK7FEBMcjb+5zsy6mOzkpm3ztvfb+wUKCCSMLK1Yhq6/D+xQQW40y+jPnw5Sgs7O5kWFzacScDfQC1HekcxP3uqdG5LpnEECajGRKALawo+C6Z/rDX/fgFcF8PDjT55yRrTN+v/WRJDQbb32gw9F1T8Y4JchhTlOGOpMJYQl9QB2nPCzoRDu3JgvwE78Ygtz7YUARgsGlL01MElNSGGdS8bHxdWV0zU4eJgBdEo5awMdE6CeAjO6aOUjifsUsMMQZvzc/GN7Mz5rBksIwH3j+SgerUtNSHxdquZwvgwH70eGe5C961uyeZe/0Aj1E8P+KuCkJSekdEc4L7LBhSgQ6+efcEcBcEpA2Gtm00fodu0chdgvpq0X8TL+P+OAp/MzJiMrR/1sgT2mmkYkpqiXzmK2PJa1snmHr6ORQAnoB3dCVpcH6OsVpCp+2DhS6JWRiLmuze6DcV487fy3bLHdKCdrPasSH7ABQHh8YtvP5AqY7/pc2zJujmfenaJJiNeBiHKEPRJDNTb1rGGdN8jDCmYRM7NSGjY1eCdxca98Qq4OMPeMqnA8RFrEB2or5eAKJ0kkjx8xpIMLgNZUk+eM5AeAs0kAjmiSENZAgODH/ra+qhr3PGwBBVVEhtfmvDffZjQbaMJ9+BurezPrFPCE9//QcJVT71LU/g5tyRCwh8IRLOUiaHpOQYdB+Hi/aCN4W8wd0aVA3LBYIlfAXkuQFQIAk5Ye0OlNqexU+KSCN3tZ9+IJQZGQTvM6X1uZ5QdKnV6JQz/oY2Fmf85RgViXid+ZPAN1vIEIQHWgD36cZUOngG8rJ/UpkZEVbSv9E2bBXm+O+aRx3n1gx7y6i0n/UfttsBDyZpK4sboxZNsCxQVgB78ZhTlmwtSgYk4RAGSm5s9gHnYnecz996gKeS1UtzjjSc5LoYRJHE8EfpiuSvMIqq08vPw1kPPPeDqRUr8AgMzVMKR8OIYkYElCGAk9GNEZECC5kHoINR4XUzLCtCRdI+6vKzYfOCL4jKGM5+Cn1MH/w1fwr5SwBP6y+azMWj4h2cssLeHJ5+emy9+X86vJL9+rkuHf56dPVilbQPJ/W1Uyia7MgWKEZU+LUYMk6dhCR6IiLCRdhBHdJRhXB45o1hJ5ilWoCxuPC6gFT++uVw0RwbZFHuVbwgz5TO5x8/vDb728/vu38siJJ67tP4fE8DQ8es0ePywD+ha1j7hd9alw2cWIAr+EersTobzdb+v+u2tuH7dbhzjPw+b/Crj7bcxnfT9ylm13FhXO9Av1SlVkUj4qVzb9oRYOV860e0zXme84ZBiAc+H1iqvEKKOWFmmOo9CvAO2t7hvPUwoBi+xyCQH0ZS8cox7JpucJbH/TrklKvNmGgKJgOqcJp0ZjRHizUu+MhpizAn9Pf6FOm3QEL6hysT+UNgQtL8xX1v5zYtPe6nHMIeLwwjr5/wZub1x8EDDCzFQvfX5gb/e0VO7q5x6e17ZgobPqQjTAbPuL6mr95CH8YJnbw89o1zCbQg+RmrKfySP76zBGJboCLHM7RYrQjnPwbdIlrsAYOg3l9lJBiZIeDjGiW0+1RFbSEFpVsQu5obXHEYxjcIooZNWd7sISkl7yd+dsAzjLjPOS6+HHjG5CzfBNQiWycPUKnPk3donIYzSLCCJFpwtmw/mTeda0ki60RH5MtnOZr9GyZ6Il7ZsJlxVJ5tI6h1MO2FX1CLkUEN7henL2S29nMNd+YwYUynnme/u8z/M01pnVQKG2oBShr1AVi7SBDkg4iCMkoAi5bTdvrI45HlBEUTuVOysnZ++rT8vB2v7k/N552BWP9KWRQ1teQ591UO2q2hYXm51FezqhSKUEnLKF4UQdAsxRPsl6NCUBHF198pPzJtTlliszdF7iKD3t59oJ7bZHr7+RBQfVLYhTOhEtJ+ynJ0dX0jJvSX4IROjXE2JBX7mMYZMV+RlPI8tP2JE2t1ov15WSxjAfYPtuOcQqOC7DC8/KbRcRBHiZczAVsP0ixUoT531bm8prhSIJISiBnzcR4wSw2fWMWJ3VEcEJEhPu0ZxN2a9qLQaau24qdIM70zpin8B47wDFBrzrvTl+vgDNIt6qJpw8whcnoeuyMLUG63uF1GQjQNQhw8wO67bzLU06YEtOwa/HKUCutyPMJapA7NzGnes/D5kbrob0BcT8PgOt4eAay4hNcyB7u05qo//rRdetyRln2gD51V7AuNd6Udls9dVkuQfg316zLH2SDo72yK8wMV88VJs0D9jy0MhLEwmai+a7BmQWNgoc5howuMBBjOB4hO1l5kxS8gFsydU1o8hZ3BaRwSezQBrbcZZj0p0hm/abJ/fBDAvwhI1iN0E3IcfTTzVKawo8Tj+j2Ypq6kAZWND5HtCn/yGwwuO/6/iVUmrBAIEVLxyo2AVw9fDKPY/0sbrojzBhnyA6PYpzGWWoUoLdOV8nHIMVztQ1aRGPoXdu1GxlOKEy2ErJrzJktUR3mqy1FtOvK3+ODgSR1lR6W6DezrZaD5wNCuL0f9jh9mm43GUBHrIT8Gm/2EvV6qJUQfUeFynDamz/X61mWbolwO5/L6VopD4tvmwUYWH7bQB+Tb3Xhw2R/9YVvOF7+wrfjPMNmWvTQWUE6+fkttwrya9YXM6QvrTEAEqFnEElo/UirMB3y0wWQT1QG/C3DkiLpYITlPA00FmHFDY/kdNzn0NlqBEdyaaes7pZh7wvdt+br+vVDNMuaEfSAi9s6oU42O3o/3MJTY56HBQ+jWEoe07zRMw5efP3W94L6xEyIooEwEsS++rmhfYoMPBPPTlQa3Q9qZ0Ed+4Kb3uOpNP3ZlN4Edl1gGteZ2PZZB7B381iUz+cH1t8wFQOQHlnk4/zqfdd2v4YXWJzyIc+k7VzYscDLxAT/ukoQPEavOsfd1y7Fgrhl9qMCUdJ81NRHuecyaIYU4zQlCfrfx52rToR+54xEAcATlTkUcyaDcuL+1LeuV9ymY7tu0yjh9yzluNBUxZfpoA5DneMuPNJOJ9oIDfa8e6vlYnyIbo4OrydYja4Vv9Y0g7Pgz8+h5GPS85v0xkjgZua3fmT7JhyAMdgj5ZIm0E3+rQjdlCe8mW1IHnxTn5eQitKXZj+cfwDyq/LdkTdCNh/UP980zAN++OwIGw8ILDfUDxZx/ja/M6d/WFsm24WgYyymtvzt9Bi9+vn0+PWTz/Sb7VarvajVBPN8E17CHMRKPpZ5XAcIi3GyVxMnH4/34I5e9Fp2CBvtmujrfui0V0Jgnt1eA4nbe/srIXKvPU8wb0Ei99rbKyBSJoTUday63eOTk4uliKQsx4RbefGWHjvvB+hMQ3Ov5tafLXotKbPtvf2dtzuLqrMxHZM6Mw4+nn48Ma8oLrUozBg2MYNQySEunHnBB4UQFDJoj4WOhxQzDOXLWEo6BCwfuTUmCcVNeEUIf44eRmqc/uu0c94JDIQBjSlOzZvDf9kWkD7NIEK/avt7bFICMQMbDZjR5pR58erbxit+zDGXyqPDFli3TdUW3YPj+rbgR70Dw1WgDPFYQediuy1xGMjOd19rf7e18N5bMjeyIjXS5zRqJ8n2E11U3jU6K+czV7u1xTzoUO4uOoxYk+Nrk/hKy+Bcv8XdM37PakujAhcYJtgED0pU1pUvY83M2brzL6uqf+/s8DABtzGz6t7Fr8jELLjxSZC3+LxMzK3lN8qEfIuEwqOLL8VkQoXFkCjvG1cnFC6cTTiBcuYJZnXl3xp/FfAHYJqScd/IgZ6wctlpTZO6PsPmKouOJuQbVOp75oPfLsj7Bc5TiBbgVf9vzWk8ntm7YhbGMxndj3aig/1WK2q/2W3Pja1X5piOJzWGZTc7JhLr0PRMjgg0zkYXJ+aUog5DlgrUbELLRfgYCuhC+i8zfWcHlA2JmAjKlKlVAciWO63soPM9oIBPqH1y5wJxA9TGE9IEPnOdKTCTvh5TohG+I4jHcSYAV8c0vrg3/QqhTsJafAL78B5Qb2rhi5UywpqHWBUM0wEVhExBq2z1Uz7cMqAMTW1Lab22td1q72612lsQ66Js2LTppk0jnKYtBY+0zVqOybTi/betnXiXHGxvt/UPSYz3DvZ3ME529pNksPh+calnPTgqNZpA/pwsowm7F53T86vo5LeTxTm2hYl1s2mnWYbdDa/5AfDJRkzh508TYtBsUNfAHywojyXbR5jXDmggQZnx3goR6aBywtgtJiqpB4UioQ39z4rmjO39nbeL3u3Gcui9dBPxyhg4YCRqK0dOxylltws/j9bo08Mig2P7yuzghArAm7Q0l5Fj9McW5COrLXJ8NYLLRkDQ+AsEjUWOyxbURb/qzkSUjTOz2rjyugcnYn9VD86qpfi7N998UibfWdfNJ3h5Ca04vrN2m09I88X04Vioz+YTjP3V/Tdqb7A5J+8voBfHN+ms+YQ4ftDGHVUc/3C9NB9j8sdpolnF4Y/WPfMrPP5922Z+RTB/r36ZXxHG99Aos4qFdYfMb9ghs3IB1q0xv11rzMoF+MF7Yj7N8/fVDPMpXl6C6/39dMF8SpIvxu1eqP3lU5z91X73SvtezsvoC3Cyn9vw8inW/kYO83fZ4jJkREjVk4TMc9YedYVN6cosHCplSrtJQ9PowlbVgFPsW6NJOhyp0GoxlSuevFkONyEe0G43W3tX7TeH23uHu2+iVmshpNQh4VFM1bQuYOEjpzfLj9icKUHwAmhbQDNnimqPrBeX0kNXQvjVPW9aiLy4lKfsZ9+U1cydL2DpFdmqaT3OCwDPdrIy+VyoEeqAk7KAYjCcgC3Vo5LXtURH1lw77X6CNSqbLQuvgqG9rjNh6a7cOUeY4UXgNDXdgNxYshhKNA8J74WYVMXbhLMhVVli9FiKFfyjrIP+G22knG0couabnWi/vft2p9VAGylWG4dody/aa+0dtN+i/1lQJdVZMPlFEtF0ZeczqXmmWa6tPFS2VPWOpPpvQ4FZlmIRwsyrEZmiGGt/tM+zsAzxyHn1qtjgjgpTSxgTpl33hnlcTzkXNuDQ8DGDxHX68YO6jsceeMLY6w0Ue/O0WE6bFweayBVl0DhsDEWhQ8Idt+XUkz6XirNmssBLil7ACZcKp3Wd/M0LGN5o5tkyV1g0x1cBfhs6ReUZwzar1oOcjvHUwyHeMn7PoIMQ0qzARFyg308vQs8QIftYb3vM3NOEpFNTrumcScXdj2UhH+y2dhcIcWsBCzLUFleN6vUSZnhKuzY/L4DPGhBfk361hFeq188Z6ZMF97Q26v7krBZrY2QApJEe393PuSqSWTzSm/G0c94JPlfJob21tzpiCNYK3nqXEcZlr0NFgGszN+d0nvI0/6Fnt+fK02GKvbkQH/hD9kRvrna0He1EC+TIpfibmvwAQfAiLP4xFreUDSOV1lV3uHEl8GBAY3Sm2UQXgise8xQihNp6thTI6JpduriteRnMW/mFPf7QT+jXD6dXJ6Zd38+XJyfn5sfOx3cnl+bHy5PjUg8/+NICArL1Uz08TyhiVXvDzRq20PEy8BfVt9kiepfOwfpjb0RfP/YA7+AblS5w7Hd3F3DzbcJxXfGJ2U7GfuJN6XKdy8uWij97mUhHOFtANdfdKPiy0CM4pewWarZ4CABS1fHpyY3q3llsXW+QpLLlv7TVarXa2zsLqHVtWUhtawEqdlhHu3I/4pNDq4VZoEufIszYoH0syf4uIizmiVa2uRn6nguP+eGIRdyksXMm87u+SxSYrCcPoEIuyfBzRsTU/q5RbAQTczhDnCW+14WFUdEKB14vb9JJT//uJn+l5hO7iP1MuS0adMMz0Q9BYn5HhIOthO49ObSX75WiVdTlyc+9d6fnncv/NJx7pV6BrvH5XdY5anV++fzuqtPpdODf5j//WHbVDRLb1zrmuRTbyrU9cvW0WmfrldUb34zrcFq9nC68DIxFY8DUqr4JS2KXx5MMO0JSNkxzr8J+3u8Pk4n8Ssu3+3sD5Hzy20Xn/LjX/f21RbrJFyWngaq80gjwj2BcO6XF95cmdgwTwt7Vo3/8cnZ1CnPB2G44aH/iR7zDggJydkrYUI3MsPZpG3jNN7Me8/jXT5fHZi+f/Nz7rP9VID3YeMG+8i5dQmI6LlVmo1ckGqKbjfbGTQVs0+a/No4Or4XC14IkPaUm133KrsdTPJlE5IEs1CyzuNfK5Qar6cemMEuwSIpbwIDxWZ3igYJmmTa7ZAnGRnQ2j2glPHX6fUHujKMO96QratXzla6JD/88+7gED7dkWgMLH+gdaUJHfG2qQM0KHwDmYfnN/9P7q187lyfXefGSU/vnV9dHmRCEKfukcX06xkNi6ktOoCus3tmfYFJ5fU+ZJlRv2CUEUq4DWolE3udIS3lVt+mEC3lgzF4BVct7vbSMvMqokNX1Melnw+Ei0E1eaCHpdUXhTWaQtR5K22hxJmSMGSOiJxWeCyH0MWseotWa2M4vWyfHl7bLoQP5zKBz9CBL0ylKiDK9kcc4pTHlmQwLoKAn55fLs7ItvwBv1n9ehq9z433oVaBjaOkXmq3Ftui2rbpBLAB/BprpVaVKbC8Qz6uxZm3jyiL5Fxwwf4ca0/BoqiXxCbiFC50y182/Ff3/7H1tUyM50uD3/RUKJuIa9mxjm/e+mNuggd7llu7maeiZfW6eXZCrZFtLuVQjqQDPp/sb9/ful1woU6pSvRjKBe6m32JiAttVqcxUKpVK5Yt/Fq8e123XfZpqEYuZSFUX7Xr7tdR8TAONn7I6HpXjfShmlMddwxd8FPKdujQMJX42coR/8eR22/uBJ7e79mMJ5owG3nOzVLN7/NOcPe1f2OcTP7iOnfgpldF/xcQH+WdImuvSALy5+NQdaquuUxjdGzbHX+53+gddL8Km4pzI6FheXFIZ9ZBjqzraHAN0p6FSGeWW3BpkFmS5ZmueIXwaEyVmjARUwdHfHBpndE7gmGqLL56emz1hU0h0AaBIRPO84AslBdKIqwxi261jBzEohZg7DjGHfSKcbX2NIK7Rr+9jiAQZxGw6nsEz4ppJGpHT89vdDCaLg0jYWOfr366xIOE/r8n66cnlW/Lx7VEGdLi3NdxAnPwH8/BMZ5q7u4Ws9qitcuXQzd09gHbFmi1yvp3crLzua978OuNwlj6aDZ4XtMxavkhzHPFadYLQNSkae1mF7rrVKaYJHxOusUio6hgBjoUm7JbJuRkCS5GW3i8Bd8MmTHIRklmqsIXmyJUvYiEefZgLjsq3dXh4xMhaEk/W8qhgqDbbM999u9VvjbSNJYXK0asStnOsEuspKlskA5bVT9ee2tIiWStN7PVP15iIo0lCZV6OzSLdpsA4EJ1GUQOCS/6H58+sPx1jHdRPH8+w1DqW2LDdpucihc7XuUadewICdX7zEzmPybUj7RpKL0HNEV1oEClZIGKlZQo2IMSh+XXfoYZJTgb6vhd6B4u67vX29tYmVhD5y+8/2+/x809aJO3myamelzBXrz7F2QVAphJBnBVRDO4Nch5mvKtRHTwmMdN3Qt6QmYi5FpLHE9RImTXr9uURM6rPioitAUiVP+kUrHsSiYkNVDCvGu061izGyse+KYmufaqn5c7pmYzMmBW/7LUMLFWuWaFDtIPdrxlGNcZCVzVTK3Ex0Bb83E6SEqqUp7yevTyuBe8UlN0qWwSpIrKNCoI85B49t44PDxlP01rWrrXFb+nLp8c7cJh9YiHC29vVjI1W90sG+99TtrI0BbCtYAC7oLIAISAMf7Ge3DpiszVpZqkk+JW98S+wN6IB5lcg90fpmT2GFs3pWJh3QVvI/OiP+a4e7j1ri2PDdgrjjVKdPdXxBkNi0YTLIGLN+ZiwWaJzfAB1fPLavl0qrxXyMVxqaYgAGjF9x7x2qdCY/07gEaatAYCnQSZZeLXaY9olOE8nUwZ62A0K+wYO3AHGJAnLdIdKR/hT6UqqYLt6sPBhcNWujYXwr+vWoHKR/0VZ7aMNbCcgZJrJGQTdJZIFXLFo7joHRFxpEvGbQkKlSsdjfp9BhGfWjcJ/vbmJj+ATPSEnGz1yKefudjJJpLjnM8y+5Qp6y/BZEs2JpjfFsAtrHps5j+iIRQpvOYxNCJvoHYsioP7y7FjlOi4QvfSmpmDTk1LujeyoYMpWF/p4AdAXq27YTstnErzZvn5daywjvgs25pYscCK6ymWTDeI6TWD0Jzoyf09phLaYfQaOYPaw50VjRpFjA2ZasPuAJWjRTIXty4YtjErLyuqFHvhMKDCUFzo4lDGA7A2OY6FihN9t49EsRBWOL8agg5EDGsciN0YLa7DjcSB3hZQJGrFI3NWrhHr9UdQxPm/Rb0SV7s3mFgIuItQiVOnMYMj8NBZK4ewLtCqbq5NpOSfAKh0NjQANCoqqU1jwOXq4sdhTj6vPlMNYQ6+U2ZO0pDzKnQA1C5+qFiltRty1SK6AqM+wWbDx2IbZGDMYxcbyYp1dnh1vdNBJlUW/5rOQH9xA6XZcKxBQn75G8JZMjVukPG7u88qfNHMGUvF17ymwnyzaTvKZaLaxwPftBMxVnl6RYH2y4J9+OvlRCu4llIL7UQXuAXZ8tQXgftR+e6bab99i2bfvtOLbj2JvdZz45tPWv/USb990dbdvvLDbj5puj/Pkey3n9nVXcvtRxO3LFXH7Ub/ty9Vv+85Kt30jVdt+FGx7bll4MWflJ9Zq+x7KtH2bFdq+r+JsX29dNheI36MRp6ty/68Z8xcGWGcq07BuaNviXzGYO0j4gnBtLVMg1WV/+PkBEH5HsX9acIPGJi34tW0MX9Zqx/xmhHve+6/41ymE+grtg5Ts95RDr7a5SOHOK1WMUPLu9PLjCTm8vPxvR3+HNlheCZyMBI/cXiX74NVvZO0f3cMJi/UaaZ4FmU3NypoTwbzwsDIh+REV7h0hBwcq60BiDhmxKb3lQvrcy65bZiJkEbOmZYV5PvPrOe4DrWF+hiMPq4y+6O/sDJdm7wptjLVymYKvisVwq1xh8mH4lsfh0lxOIqqNslqpjskG+bz89jO1fvEztQ5/vaikSh3+kbq8J/iTHB7bWitH5/jHGY9Tmz41o8GHC/zzPUYawwcf5IfxmAeMbO3u4HMXlNo3XO+++FGJcGLgw62TiIy/9UrODthKya26vAbIhyzU2FhORnzeOHF5+posCNziPSfDsUBBdRbcuZxqTYOb3oxryaB3vQOwCTpyc+npWWnW5NTe2xvTbckFm82Az8ilFiw6CnHFvMP+qPjhUoiosHpj0nAZ1c6cobA6YWaQppOhjSUUfB5zAIaqm4Qe+c8HCS5YaQClUwg3IuvsvrdYTvEVtXl52O/3h5tko8ox+KWOMavcyP0kcierjZnk86QiIE9nUpVHxZz9Eps+s6ZNZfSSmOWDrzKuKZQiX1kwBT/451mabrQnr04HaDl2urfU5uWgv3NQI33w/QIOPe8afZbcsAc074Pm/NLzsMC6Wtk8HInZjMYhXIZcIBXxBJtFJ5K56/jqHH0hBdGYn4+cX1bGz+bvLmCsSkefS1dAYDoqDH/Up+pfH9bT2NvvDxapjl6/3/jmegFzX6CaWaxJlpygh49qK56gc3HH5MWURc2t1voZ+jJKpjGrffYusuxXzOrl3n94OrLJiND/ormG5XaG13UTKdLkNUGrutSG3Qh95pXVglDzljmHxVgvFPIAla1DochYBKkiAr2vDj4hiatLy7Vi0Rj2JA4l1eDeIZoTeit4qAiPuyFLIN2QRnPFVR7qjijc93b6Bxaqf0k35pEL0LaV9w1Rf6phipa2zpS/oh2HAp5MV+a9v8B8UXtx4Ept4JAojmEqs6+xJJfP6oq6PLu4Ojk6/tvJ1ceLw6tfTy//dnV4cnE1GO5fHb05usKr9KYLNYg4i3WvGm//7CnWJ++6rmSl0jQOuzQScfHKVUDiaB5EgrhVYqFSlYLwzFINf3Qhh1ZhbVtyXSXpKphCsRoF10J5oEkGFFJyMKkV7xCohsyVakuV09Ner/HN2CJMVsTiQ6ghKcYFXnuD24piM3rDSJqUL7wzZgCKD81FqznIa++4WaDahvvkoT1YkQUiHv0wSNQrgFc1GeO3NZyUtQ5xfzX3RFo8p1RNe7NwZ0UTc1TQWPHEmOIcYuPcsn93vENCPmF4lXl88jGbP3vBmHFPjJssmVKgFWZsCSgpYmi1/i8/ay8LvqoLtMKyq1lsFcCozET/7d7u0d7b4dHOzpu3x3vH+yf7b/bfbr95++Zt/+jgpHEjA39O1JQOvtikXPztcPDVz8rBydbB1vHB1mBrf39//3i4vz/c3T0aHh8MdoaD7ePB8eDo6OTNsHHcVWl28q3mi8zPcGe3foYyHt7md+dPn6EcKs7U86yb3f29t7u7u4f9ne2Tt4O9w/7+yfDtcLA7PDl8s3305qh/PNzdORkc7+3v7bw52dt+83braG8wPDo8GB4fvm0c4m1pxCSEFU1aTXyVlwHoyrYDBu4TmHa1G1GhgqI3SxWXR56S9FEITY4OIXXpNB5LitWSUsnIJaOzDjk++jnLlj0++nmJXA47+L/p1qq2b1QCWGQoL/CP4yooeB4aG3uKCeNzkjBpRM2I2MXF2WZudxMypXGopvSmWv4p3GY7o8F+uDva2Qn2BsO94f7B1nA4CA52R3TYvFeOZcdzZHkcU802IRPCs5GhQhsO0iTpw1+ZNfkRr4b94aDbN/9dQl7E635/ud4NHr1PzvpYluByEshjxA4O9vrPQSwUiZKrjMc8NIZ3QKPIKMuYXLw/tTpVsyhSNpgHMgkxQ2YqlAatogV+4+2VTj9A+LjWbIauT7w/NIcpokWP/IqV/wqx5reUR3RkVEIWaJ7BnTDD+YTjOfg6ZEbBYecrW1SyPlls6SqSjueoK7+kfq5o5FwTZ2x5VCPP5vgbqOJjEaSzrKD8M2lilSbY7OcKz9KrCjLJjlV2mHrboXCIx2+mLIpE3YFlwQl+uLN79dejd+YEv7W/bc4z+YMnR8cPPZrNy1qr88+PugBfri6APwXfe1GAWl58ZRUBamh4CekNX1k5gBouvpj8hla1AGoI+tK5DSsvBPAIzS8g1+GzVAGoYcM3mhzhU/rN5f+Xift2kv99yr61zP8FtH2/af8LGPJ95fwvYMLXkPDvo/4j2/8zZvsXGP8j1f/zpfoXGP+N5/nX0/p1JfnX0fASjsBfT4Z/HQdfzPG3VXp/HUVf+vz7rLn9jxH4Ag67yyb215H0HRxcv8qU/lWeZxYEMOYnHNdmdsJvWWyvSTp4oUmTJOIBHUXVm2jFgmS4sysbn1yY0nQUgWJvQOlIiIjRuI6gN/gTGUe0QJYt/355dkFiNhGa433VHVVeG05jeGYmlZY0VtCo3cbJxoTFYA+Zz2kcs6jxcovZvb5yIbOfdSqzON0Rg68Abxb2yLmtq49nLMKLbTxOD98f5u2T1/1OQZzGFMKWqTJW6ozFWm3qSHWzxmqGhi7CXfhD736qZ9FPNErirsOxy0O1UQqRsh1Z8kNDJO6YhBYjte2vNge9xkInmUpnKxU4rkrB1SBwdlxoC5NRa8TrHg2cspQ2FjO8T3+ZEb8Wt2UjfqskfamI30WYrIjFq4z49eei1Ry8zIhfi+c3E/Hrpulrjvj15+TbiPj9krPy3BG/pdn5RiJ+G85QDvUrjPi1NK404vdiqdjeSkxvvkcgrpWj3GeJ7bWD/5turSyIrD64Fwd+tuDerYPt7e0BHe3u7O1ss+GwvzcasMFoe2dvtLW7PWhewAn58VxXuErTWVKJdbWBnS8huNej91ludZch+LMH91piVxtoetE4pLSkkGsUQCXoaGUK4Ecc5JeLg/Sn4HuPg6zlxVcWB1lDw0u4BPrK4iBruPhiLoJaxUHWEPSl74FWHgf5CM0v4Gros8RB1rDhG71O8in95uIgy8R9O3GQPmXfWhzkAtq+3zjIBQz5vuIgFzDha4iD9FH/EQf5GeMgC4z/EQf5+eIgC4z/xuMg62n9uuIg62h4CUfgrycOso6DL+b42yoOso6iL33+fdY4yMcIfAGH3WXjIOtI+g4Orl9lHGTxmv65sX2PphlJqMyuNtx1c0KlsvFa8L2QfMKN8GF0Ws1FTm/Y2Dnu5mLF4YHvDfcj/gcLMYQOrrCz6EDYRHwyHyPRFR5dSGAmdgmNXW3kOpqqFC2gp0DNK2uy89x0dN0/EhqDHe0aRgUCq/sbNaElDVjvTxbzQ3xYMnthBff7IjHHcwjVQyAUI0EpxO91iEqDKYQCQMsIpjTGhkJYgYVrVhoPGKxcSkKq6cgw+/eUyXkP5SKX/vH4gO4f7A9Ge0EQ7lC/tisg+xlZV+YOfMayqwprJicRI+wWWBXxG+ZzxsajjZg5ORItJsxwBE9I7ubOQqbm9Cwz/k1pHEZ40soG4bFmsmvjJlnoWKrK7NsejQ+G462dvb3R1nZId+lWwA6GB2Gf9dn23tbun2ok1JaL9djsaPjMzHbDNhZX/x2OJZSmfDI1TASUzXt3Qt6QGaMqlfZACTKcyaSV32wqfCl2e0SJyf3+uL+7R2l/RA/6w9FeA6amEvWYrUv86eMZfFxcl/jTxzNXcRi2wdDYrlAECM+EwqBit0kqtTmnf/p4pvDW0j7piDJ8GUlGb3g8IaG4i404CaKCKZuxDsHaTh2SUD217wviomyfUmoYAa9If786BuhOfFIZ5bporViWai0TGUJOY6LEjEHAtFFahs8zOsdK2jas/fTccGHTsNbwO+SSBTqadzJ3BC2ShsfsnoENPg4Du4Nh49mdM7kD78ZEmDHMT9e2pBZyzscQCTKI2atrg2fENZM0Iqfnt7sZTBYHkbD+xuvfrmHurv95TdZPTy7fko9vjzKgw72t4Qbi5D+Yu06c+wWChUeGP4mGFWPXoUM3g4hovyrvgzUFwbKcBhf2viqJgL4ABq2ccRhza7S0G7zGarFLPiMNZAlCfkMXjRcxGuLq0d5UXVahc0Ug6kAxTbjRWjbyumPkMhbabBdyDuXap7BrFt8vAXfDJkxyEZJZqjQAGZkdweDHwuKOkqcw4MMjRtaSeOJVzTKvr/XMd95Y74W2Qct3WDPO0gVmkMEz3+0cpoqsu1OuprI3+WOjA5RnMIFt1Jj0sR8/mAnW+trkj7UO4oMQ1jaq8pRYZ5YTorGkk1kzn3UrGToXUlsj3aoVAjdauAh+uvaUjBbJWmm+rn+6xisqXbCbHdKWvIyWNGpi3bqYFPvlZ+4JczrGXhtmd4GOpHxmtCKNYYucixQKu+c6b+7NtdLCj/LiMblOZdQz8K4haQpiT0Fn4rrlCjyZMUY7sRBPgWCMOkUE5lYGUolUBvWZLy4/J9dGr7e3tzYVozKY/uX3n+33+PknLZLC3Djl8OLn59WneCZCY0qFuUYDsVVEMRYX+Jbxq2bl85jE2IKRzETMtTDnHFQoYgSGUJjtliNmNJcVC5hJyajyJ5pCDhmJxER1sv0Mmh1oFpN/G92UnTNsLDEYIIUF5cvFjFmRy17LwFJl9OwdVRminYKBFAtdVSytRMRAW/BzQXoSqpSne5493ciCz1tHwAbWK+Ggp8tLb2kcPS2N4ek/y4i10rBCLnmhiH6Q1/ZkXYuHyHVpBY/t7eqFw/b2VgEpOGqu0uyAAayw4q8jhtYH/mLT9upoyOTd8LQkVJX95S+wv6Bt4ntg/FF6RmfTogEZC/MurESZ35xhNIWHe89anxKv6GC8UaqzpzreYEgsWjcZREgpoDFhs0Tn+ADq+OS1fTugsdEi2bUxh5SFWHOqGRkxfcdYMQNT3wk02kubKCZlMsnCq9WeNy6902U+KKhad4Iy9CYJyxtOpyP8yZvGirXmwcKH4YC3NhbCDzxaMxOy5n9R1pRo9Vm+hkwzOeMxC83+GXDFIpvvQSH3z7or8gtrlY7H/D6DCM9AmuvrzU18BJ/oCTnZ6JFLObcFh2mSSHHPZxjCwZU5iyg+S6I50XDirBqEZiojOmKRMtonAnMJ9p07FkVA/eXZscoVTSB66c1aVYWX47IyFxscbFclBxcAfbFahI2lbFxjoMD161rzEPFdsEUVKXMCtUohzwYBXW6NYdzu5+T3lEZobNhnYmxGDwop1wM0ihx16Lxn9wFLcMueCnOKMa+lcWgt68oq7sFRnTrnhneuKGMAbkWbzo7aCX4P0GmZ+YG0axoHIwc0jkVubBVWTMfjQH4CLxM0YhHmr1QXcP1qL2oEn7forqBK92ZzCwFFHtc8VXqtV3YPWCiFsxnQquy1T6aTnFyqdDTsqXQ0KKiVTmF55uihdremvAuhz2GsoTPEbAxaUh7lh9SaZUpV41tQLZIrIOMzKHM2HrMAUhCMZYeCYqlfZ5dnxxsd9IbcxOIuNizM+Z6fP0Apdpz3EdSbv7S9RVJzUC+PmztXvGZrgZiBHHzdOh/0/SJ1n89EM8UP3xfkJlVMrjDC4JMFX2Nw+xigx9S6eN3nxT5ekEJw/VtPr7McCY/RKDYKgo5EiooTHsWzGnSsY7c0OwpbryKc8jIpsc3tjHxM6S0DTwyDiA8hPZdOrCVnypqNMAioFSHhZBjDazx0msK5o2lMKOTk29Mj7gCeopzZiXtSt7opjSdM9VarDfzm1+jtFXKesxxM4RmDKDgxXmTL0ZicHR+eG9YeojAfZ6B8NdC8WrqlHXKQVijYxSSn5iWTLHpmU33m6J7n70dq6HylcgOgYyyGrBlG5fx4GI2Y1OSEx0ozHi/LEpD1LyazMPqXFlpkwcp6AFevEbPCTEC97c+p5kqz2WYSUW0U6tKyjVSscGPxZxEHWxZFL3P/2WXsU9ZH1tZwgAYzEjuVFjapMVzto7aMCY1FPJ/xPzzfL7I/+/hJsXEamUV4bV7q8fDayCB+MAReZ0ZnIOIxzjONihtjHNbY8ali4fLiWhbUIE/zeE4hdbcKqib796I76O50h4PusD/cHm4fDIZ7+3vd4e7BcHt4sN3f7g63dgYHO7t7+7vdQX+JiteWxKoUtyXy+dXzxVRIeyYUkkRi4l3s1vGK9lhL1SxFtLIs56xEEYZzmJEIRdNN83ydWxutRNKr39Zu+IjG9IqGMx6vdciaZHBIjCdXBuAShX++OWspu0J2B4Xv0iDMqX+hJmGO4A+jsIYp37FZWGbC12oYlul4kaZhjuQP4/ApxmHOx2/YPMyJ/L4NxJwP34WJ+CUsCD/u6SUaB82Dbp7BcnDYfatGQZG+F7nfF1H8/Fu5G//HLr1wl3Ys+lo34Kzg+cvaW5truiduvFmUzvewp2oqJ0x/l64JS/oL9UtY7F6q3fEFnBKWI9+q8bEsB16kebIsES/SF2Ex/GHiPMURYZn4tRpBzSl8YWbSZ3ZBWCZ8w7aSHyx1RScuk8cLmSL5tw0CpxCGC5+KIaUfSv7OGMbGUzKS4s7Lrs5W9+WUzW02ipqKO2J2opjcsZFLDYbcFQOKx5M80N7WBEgzVF2Q+9NjnUJmhv1catyOVp5jfj4VMXvk7LIShHKWVrUOHVPJC0gtkZ/15Uy52JOWq4K0lCl8J/7gUUQ3d3p9so5z8D/I0fknOx/kwwUZDK8GGML5jgbmi39skMMkidivbPR3rjd3+zu9QW+wk+G5/ve/Xb476+A7f2XBjdhwNUg2B8Nen7wTIx6xzcHOyWB73zJ5c7e/bTtGZaxWvTGd8WhVCTQfLgjCJ+su8lOycEp1h4RsxGncIWPJ2EiFHXLH41DcqY0KA/HJCt7NMixf5tH7A1beiCfWPHTHgdhPTM46gEio4IVGcEW6UGDeiX/TW1bm0Q2TMVvVoa1CA46WoY2FQ+jdonWx3dvu9buDwbALdUJ5UMb+BR7nnjzDrsyAN7+LpvQfZX64I8Tnmk83nl27AYu1UB2SjtJYpw+tVyrveGW9GsRWdkxQGPx+bcexlRfgtEA1mwjJ/8AnRJlIHmuRTa5Rx3bLGklBQ6gWyGRgDH/QY5wp7wzxIXtcMTIWUSTuDGTbZjDPlYZMuPWsFNHGaxLxOL3vkBkNgKMxv8+TNSxfq2UjPlyQuUhfvZJmh6eQlwEpADbtyCYDR1zpjk3z9/I8sLRABjIRSWrOUGGPnEeMKkYipkmqICOCjOaGUbEZgcZYHRSHOjm66BiuJlIkQjHCvfxAGobQQrIa0w9kNrWUheqttvpVRc6bKqxBvzcob6CrRdUrK/aIGWU2fc8Iv43shmnN71/ODt83MbzNc87kpjLP4bRHyDnZ7w97g9+JppN1tYHJYwkNbpjOCh4pzP2givB4AqVMoNkG/gnwqVIi4LZ4nwERu+RuOLvD4d5QnS1MmlUUtoPhlugaTWYr5T3muPcM9XVUSBYIGRpwPJ5EllpNJ5BmBtohhXIQ0N3STd4UCyAYRH/v8rj7O2FxQBOVIpaqY10PdZiRQt66nic88PLdbLYFlHihWYK+YrESkqyz3qRH/jdjNx3yK5dMTam82YDsc37LojnJjmfgaJJ0DAWXS5zgcczkwllFEAQfssTlE6zIussjsVDtb0X6NxYQ+TB5SJ+FuyyVD5CH2u5PTp1H80z/8jjTUIb2uEZWjKBjsyPm2KHpZAK6wIL8MHLdyDzhdtLb86Xc7gI18ucetyAz2fZdS1CrJVsVtg6Zc0iFXAWSgQOsvMIsTMDAg7doXsZcsjsaRapDJAi/6qAHhIZkRCMaB0yqZzj/rswJC4SeHuPBwohKXsY6m5WqHm+6F63wePwhsUU9gQJwPS1Dg0i14uEjBdKz3SCNYibpiGcFZ922UPlh8f5gtocCoAaZbbRmaFJJc3Mdp3PH1JPSytDgW2lJCOhEJcbOgDD6XwZTrhm28QICdYVfFMKQVJ7vewmGoy264qztbqYP1sf+LckxnILNWBefLk42zB/YXyGCBzOg+QuuGKOQ5K1d5xuFTNW82fXvKY3mapJSGfbwbygS/vsdG01ZlGyOxRVUBoo2jX0YsXDCDOjNAoFXztZmqjfVs9/+AwBliBWZkT/7z43aujCuxpXLRayala9+W3N0LXGTG0Rmc3FJ5CuSEugZURgoq7Na4IIKhMwt0cLk5L4ev5wN9BCBluTBrVKb1Vq5v1w0LuztYfzCjtkVXnpf1DMSlpzd2VS20dMI9kx/2Lq3FyyK4Jb1ZlxLhi3gjUbbHNPfQbijn4JbdgUJt1cecuoqkMwcq347gjrz2bC+puUMd+yT+0Qooy+OfjnxKfxnZVZPY3OG+nBBsEkNGfYGw95uxy/nUmSHPQt+PD9aous3g5YNq14WTnd6t1JgH+HlKVcPTE11SdRNUc2aOGnKgpXZKYZyR7FVCOunxxuuuIDtw1EoylG3dRLM8e6RUz8tm6TFiz47gAXqbqWrfC3vGU1F/25K9RVXV2YJ8HDDynpZxnPHQFnWT4//WTNHXWx81O/3Gze/gcqebHVlyw+JZFhWbbGCKVjZVttgqdUZ13yCh6SMF24yMukPS/NSZkz9jAQT3h3x2HwLXuFgwv9i/vg54+PuYLAEG43gXa1U+O1ZU0iiAhrXi2ptK6xBf7DfW0YoDPyYyd4ti0OxqoLvl7ZYzKJtHVAgiEKFrEsW01HUvLtRICTrjfK+OA8RM44Erd1GX10YMFgxQtJ4Ym9R+72+sb8H/V7f1n0xf5IRc7cQM6E0UeyWSb+24BtjWCoLUZgzqrHTlGJKzeDaFrR2EgmuHVNmTEseKLJOtabBDbmFEJ/c74ll/e65nndIIvktj9iE2arHNq5DM4kloTc6hM8SGugcqh+lYWBkcM1rEwlgDSgbbwU42U6wUIh6gRFQY3Q5Ax1EtxuKIDUkb1Ts053eznJTzOJbLkVsoDW6/fxMc33io/XYpNN4TrKilSAldoY6pM0Mwd0+l8zAVy9gijSbJUK+pNm5tBg9NjFwhTijOkVGG5aG3Cuk1Sns126ugudbFw05vFqPOhzf37uGKgX/R35gXn//y/FGvtlD1TENHa0zHsE0gHzS+IbHE3Bkr52Ju7UOWXvHQp7O1lCa1/7GJ9M1mAJzOCO3QzOpmfrMIIIkqLKbEiII87E0DJXD2ur1bfWqOXgaQzbmcbEsr4GQP1yYI0+K4AmuiLiLWYjWC43pBD1Rb08/Xlz2PsgJ9tAh6/CFUZ7k00UXm/7HIu4mUoy5d9Tyutd0yN1UGGXAlaulrQWZsigBvQ9+d8UCEE5j2YKeMNZXImKvH5xmdKYIDaRQaDjfCRmFC0Q0vg17MVe6NxG34KnoWlUE4lpVBniF0kxU7ZSs0LrIZr3WwoC6T4Z7oCjcJkihFRz0X48yniWSC8m1nQgi2YRKiDHwVEA7DlaMeDNMkA39iFfyfqd/4DsjoXHOUakj/IP3VVwZKyDCzQFvavAkYhaWc0+axXJfatuvCq05fb8lx24f0ZxEYjKxXSXI5dkFMcoU73tCPuGwE7qGfXkXvowjLEi1sfHIiMdUcmPHXGy+O313UhwttlHvIxHCM7CB0miuoJwyFGp3WArw+99ka/ZXV83d74GGgbEKO1yYtztQwTu7DYaIwGvzAzRHuu4BGAtxStWUKSdvxycfuyw2u0axC79RM1nMum07YN68hu4vUBy/cAkzYvllc3Y7iLdbiIh5uaemdLize72RkXdyayeV6jwQ1++nW3E2uxum/PpNdYqoOFZgiybkh1+n0rqjzWxbBxa51pHqee2krm37CAsRfg4izmJtGfr0uxIawQI22w1kNKwqXjTryWX75nnj2jqY6xeH7zd6GMlnxlHklsq52RGC0jIFs8G1CkUDwpsrcPmMoNenWZ4QxYkzmjfRMNJ//P6C+BQTsm5AuTLWyprrhUQRVu0M+urPXtXvxtaHbeX9RTpRZo0o2/Vwr2nVv3yL/oz+L9GdUpVJa96e0uL9EjpSLjd72JAyazhpTKsO+fDp51JbemhB+cBMZ2ul7Yy/mE6U74xQGK3wC2d3SxLxpZtPtlu4p3HwBDpfQA/K5cguSfaSpH+jvSpjoa+gDU0DcsJ8vy2eF/iMEejww4NpxSjEVgCRiCfMdvAOoaL1LY14WONzHfa7/b3uYJf0t14Pdl5vHfz3fv9183wfQxDeU62SIvA9NKFmcNDt7wM1g9fb/dfDneWo8drJr7o3+GHWQN8FDOEFv6703C9TuUT3bY+eIJW3q1pEcAFu4CMtNpyFRZF5ILA/eQ31vZbn3smMYDd5xxbnvKjQb86oyc6w8RWBxwR2n4i4WdMpr69JgdYTCyLveMEklB4vThoGNzQjaHdnZ2svO56G7L4UaS6CK4wvK0egNydc8T+aTP4iosFFwf/ILkC8uVQJDcwBjYy4rlrnw/72fnM3i+Q0Wm3rXpskiUO5O1PYcjKxrd/dwGUCCkhpFge+P3tsb7KhhDvMeDKlMXbd7RCuvdhwPMVq62kQcEiKjGEB1x5JgiHjGei8q1+FsTs7b9+8OTjaOz5587Z/sN8/OB4Mj44Om/fld+6MlSu602LKdKGJu0PC1wi/MgidnM0YXAX5RehxS3buF/JXQc5oPCFHcp5oQSI+klTOe+SCsewmdcL1NB1BfNNERDSebE7E5igSo82JGPQG25tKBpsBANg0Z3r4X28ifjrb2trrnm3tVHsSGbN8Z7e7hBp2Dbi/yHFTZefNRT3Tn97yPqPvSxwn258mHd4v4ThZVj3OUWMWz8Lz5MXlz7kN2iFnPxf6+3vnTfTlw+ny2Wb7xRwlC0QvS8WXPksuWpSFiXsKUS/g4FiisTEZ3+gh0DXGX6ml42UToQccTI+KmG09hHTXjPyajBhcbdM4mAqJH7uBi3i09zlv8JkCCv8TYB+5zkt2TzKvZ/cT7moBbkKjyDa3BPezQbXWYw4pUVOhtKeokU804lnzyoTqqXvYe7AGQfPvmCWSBXBr0YWbg/xFuKaBT7yYHUVjl55VwM/Q19N8xv5w+feL0cMo+NLDMz7BuEx7dVCAjhwpgBWwWOxX+OGqTm4WkJ7ND4TdQCjAJJUwKThYHX0NWG9myH/uQbIAaNs5fRCyYa4x95nq8Vhpz4n6KI/ALYHvEvcu4aFbFkEk0jBfAUfmo4sjkGTGNA2ppvWL4p39FYNBgsKrEHCYn0doGF7BA1cOpHkyYEphsJm/RgqUw0s9PqMTr+7torspv97JjHfpKAgHw61azZKLzqmBTU6Ps0BHJMTxCpXNT+TQTCE8I6LQl2CHqSGsh+g6JjyK7iLpqAXzoIR4ozvMrxrw62EEMh5kkJbGoaC1nohF09Xi4TGjwZTH7MpL5W6LhgXlZ4U3xcIPD7vylGRbVBbBa4pPIgUo2CcLiAW0vHxINslN1bajF4CUR7b6LRTBDawgq+CO3ecabYC/gQFlNvooYtD1G7Qb/maUgZoKqa9wi8kNI2dX4HjdTLkt2P8ztJrQn1/KF4EV9CRugFAWLPuxjoEeE+tfqZ3CBUMZ1bn8aKDMvcW85KilN5sN2n442xuW/EQuPxx/eE3+Ju6MBTWjCZZR+EsFl4ItQx62Z8jijYlkmxOi0HMybUyMPy0SGyvnf3PPVECfxmPhS7fd9aAPqtNxnkCb72vF2e6LJ0cXfqK2a9apeixQvfkscvsnZg5SiU7mWMTd/M1SAWKxqENno5WxeCoLxfUciJEQEaNxw+kY57yCHKZcTKrjCtUbpTyqDlmVgMxsWRvsHw/6B2vN0PlwQWAEP7SoHpFAhKx23TyEi9KS6WDaHBk3ClYJjeeZxN6kIyZjpiFqwkro3/3vauDmv2dmaNGmzIESXz4f1s/5S4/q6ALSbaWxPBeJCOsV2FJqweNNItAHV512M1Rasxu0HelchOTT6XH9QDypjFP4qvkQp+fVEcCDkdDg+diWQ6wOJsLK9vTEwVwtrAWDlc6MTx/QAaxL0Dcj/r//83+VLX5VRcnuNn9+8r7m/Xw1o0nC44l9du3PDZWKR5Pdh2c0qaIMFU3RJfni8PZwq0desQjyil4e6hlm9YhLlkQ8oKpYKpU8WXpzuAsWTciSSMxnJQ/K0wfO4S4YGHyr4zR6dpI9wAuGfsT+bTtwBtZe5IR8DAmqGpstuw7zeclRmcaaz9iG29rtLprv6+fZFzUY2B/zHT1zpNTtwDls8kzbL7tvenSwY/fywPgHjg/lYcRdzGRlIB/Bygw5zsCrRYMuf6NMFqlLBH9MMMhD7vda3BpVZS5iUxLSJ+NTV6ShPGahakJx1NqfYiFnpXCUWvIb1lp2/3IfJFTD/5NbKf8WkbjhtEtTLUKuIOstXzb/C38lx/aXOfGfI54v8FFPbA0o3262eGQgF91R2Od66KouJrk9thYbOe3d7Y6NYBHjDDWvYlw9No09V40QOaHB1NZPntJCdQIbzRfQmIwYYVxP87kISZhiKRRNpU4TJxMIiEOB9xkWRsguJCD5I6GSzpg2JEubLAlzzTQcybH1PXxhPnZs9j2gBilWNDIgtMKQptNzfMIqLMLDDuTFQPZkASXItdIKOFPPXJs2kkgRpkHTQ3gjFkN0XbbX2AHMMTGj+iGEViB8BYReqayk4rqH08YjSHnZ+s+GE0LNgikylnmSpcwmDKUueVyPYSoXZLS1x+vTxzMyFXcYJoaI2FUBOD40hUEqWdP1WnTHLMDn1ymDhZjz5I6qbJFZpxZN9dTsV66YkSSx0JlH4o7HkZjk6nftV/hixKheq9exb21ynjOEfsWip5j2Rc7EpFd2jmVGB1yQlmqEG8V8J7lmBSY8MAGS3pF/vDsz1rFkisW6UKQJ75zFCKTF+qwthqX4VKxVxRXWGswvrw2sUp1RRVSauGqGHs254nS0k8PzU7L+jgdSKDHWGXN+4UpTUDwxu2Nyo+fXy8IqsBkwWx0G9ikrJpjWa8tqYQkK+FkxDThd23eu7mcR8vE6A0dVRfEKLMeESf9QOPGWhyl1N/aRmPhZ6lP2KL85XDiP0wjdqFKko4ipqRDaj/hLUpkIhSmcDHMObZazdZz6R/RcDvP1NUuo9FyXNsnaB2QQ1YKEnE5ioWAzGEVsVr72zqSe1BqlC6TvMIqyYpWu0pvFobII/JxuMoW8f0/s6tyzNND8luv5VSNXlS2uEFbNtgfOO4cEA8WiebnuECgRqvPPNik3lXAGcrjBzBVAMi/Z05AMwcQQEAfpt6AlvUHgESq1Ex9VNo+zkepOfphtftXw4JezqHA2eZBD5eIwWYY7EOiC+kObdRoIGWIeLsa2VvRCxiGzLu4webuDTIFRjGTjSRM11XUxHub6AS58sNGOfpeohwWjxQEZ1in2cXIWVAARm8gPs9uASd3JC4cISUIWMY11W722JY9RwpuJdwsqlhZ7bPmSNeN4DPOSPD77DDieg8g8A+Ph+ysbz1LEbVk/Wys1dOlwywtmGmTKe+Is1SlMGrsPolTxW6xkXgAFTZ+AlGs4LsxFCjomoInGQwkuP9gjROysW4WlFQqgtCju1h3XWQbPKFDf4zpn3TWMYxgakmt4anDdKeIG3w6vbaUiQUTcISMW0FSxfKf1R4CKwzHCLCxqQhiVEYe6VJYAMc7smqVm+EHnS3mebNYLXFOy+ylNFeSYRzbE0kM92wBsxeYCIMdX3Cx65M2cTOmtNaYUy8vR4nZpxVezWRLZFKp5AZ41CFxx6JCq6UhQGSpb/gQub7sRoxJOB/8WI9XUe3RYsJbPaXBDJ+z9Mk4cB+kNj6mct3hNRxAU8UkxeRonqb7kbUYXQr/L4+mXe/EyD+1Z4sWUR+EvhQNq85ePaBRdyuLFVsM3oYTDaTwWy79qDMp4+Sk68o3pFm9LmcJ6O4RSFxfaL8XQGIpkMPwnHbSSj+NKBdll3tV5Q9FlXjPbaau1lL96xuJJaQ9oDqAlp8yrVrDf0X+Xto3lQfC4DQjJb1vyzrwpn/hqW7abX36hy8vKSazl/MhYPcu/ajaZVhoM3nxfc8Xe8PV7LWkrRfSW8iiV7abXe7flJL3lEWurt9/ymEZGg6Vq6Xf/KmmsWXgYeHdby7xdtGOavXUaRuzUFZ5qp78NCNDZ7cTzdJYwqUQMg5+xW7b84jh1RRdbvp4cYgGeFm+eC7k8yX9n85aieUaVNgbJX4Vofqvnv3wxTXUo7uJ2AGZPsf/OxETEf02XuI4svHna8j17f9oe5VaqE/bFtkrkHb3ns3R2ziRc9sYBO2cyYC0W1ztoWN2Kdnz1osV0vePxc6GPkC6nUmgdPQVM+8loxbz37M7KXQuxzV9uO/ZFMGUz1mqtvWd3l1PJaNgO8VYW5XsxM9vmW2h+GwfLH0De+7mGzV/7EIVP4NSHKGxFrW3a1kIUP9ibImOgtBKNc9piz/HW8RMthXPJbrlI1VPPag5Oy5dtPe4zrpZXJe1X9VOWtH233fTZd1tI+Hnhun+J91LazhY8T+m5iHgwb8Hf/xi3Ntr/I2UtHFMfGVUtBgONQ9uiegFOijeRCG4uq6FLDd7HruGtpNC+2xp1rDq7/HvWZEXvUCtrzIGAA+1RGy+gg9B20l0tmPZvtjxUmvfZ8qvpQlOp2x6L4OW3aRy02iXg7XciTKMW3DLvttoW2nkd206KFkk7LLF2xDFcQbZbxAih7ZHKvv5JtTxVeO+3OVpcXrTA+RJuL5/AMwRwWkpqXOrdNl4wfLX9sdl7vzXXrPXw10+nx0+D0BoDrAX7hHlrLav5661ElUk41dhtrw394obFJxG7pa03vktJYzXjWrPQ7t7LK6tWA7flWlvj4lchb1TLYwleVrd7bdjuta12r5WD3xu+ttPutd12r+21e23/wdf+VH4Hb/SXDA1bLu7JhvJloTEYppdVQiyHvNnuan4cYE0kgkVPLYX3krEkboxCx2bbw3Pu9aetIBdMaRwXPOjPzdPYjyXD0TDSy1XHhWa60Fv6DnIUaWjDYBzfCyBFnEGLsXyii8K1kSmRmKhrl9Vu+1TY+On8yrqGE4jDauXL0nl6XIwdjcQkC6W7hFhQqXTGFGmUeVHHeT2H4eWchTaBYoARNwJio/EnlA38vXQ8UOCF05xG0bznMtuLACWjwdTGhs3QWW3nZ334r63hvwrwXCGBLBR0wmOMCzZIDf+1u/2v7Jlq2Ojh+elGMYwIJpvd6xJOdzyKyIiRfu1sQs+Oq5cYUupwMtMIi6AALhCxliKCxaDNZj5mUsKC7lkZwm4kNuz0Dmqx6imLyZRC3d7SgvFDT2F8Lsm1x5ZrX9/VVAxIguLp+dl1F45QDn1ChUUuqbpBUcanoGpE1g3earo6ejHBKRIB9ZUATSCfFGO/UQkxW4cCV9MdLXIPG+nU8MWlTF1NmiXWfx7Rysp1wY+IfGUpLdoLXJ5jUkOQV0n5SZNtx7jioVOBGL3kGkB8xJxS58N8iPHxamOgazZ3T1GT9bI4CUkUGtzA/Bop8tTqRg1hmqqbVa4zA/9lrzLMxLIt8Au116s7ybqISSJZMWC1aCmUU1igYbHdTtGEc7G2dbPBZ8z1w67MSlj0HD0tBJgE9nIExqxDRaZKH2ot+ShtOO4i4Xks0J0FfEYju7OLMaFuVKx3F7M7xIZYzmCvLoyPX4T5MZes7Bd8fszdIAbrpmiaf+dCKT6KrJWPRtL15cdPF5dXx6cfT44uTz+8vzo+vTh8c3ZyfN2p/nb6/s2HT++Py5HP5cc+fLrE52CdVX5+c5r9fXh2vYCTpXP5i42yf4Svl/95fnJ1/OHX92cnv5yc5TyF7z+d22/r2AlPvDu9LDARwR2d1HDN7Wga7rfr6qE9sq9VIGbB9hVInzdvgDw9b8AL5K9ZupDOnlsbT9qY8srW3UF3pzscdLd2tgfbW/2D4X532N8Z7A0Gw0G/O9g6GGztb2/tHnQHec/sBixxm0DehDM3k9YvTo83yrk7VCkRcOo6F5RMJK5qRfp0XErJiwV0+RSR7ZdxcXqMmiaGylfaNTmEFA3IkSmLNfyAeskmSeBXhsfXLinAnXMEuvXyE69FsoTjXKQkKxbgIZxja/bEi9Nj1SGS3XKjLGETnxgdXzyL4NJVeFKh2tmYo4jNyIzOyahuv8qofZpGeu85DqCWb2nS6ieqgEQlNezZF6NNDdOOOQsEzMMV00lmzBY6WIS6Lur657cG5wnu8I8iXIPhbcVn+5RTAua6lwtAZAL+yqbFcOu4sQV4rUliHvPK8NqcbnixkNV9xiY0KOTUumIvixK88QGmCPYIFrH/8m7vHic9ETzWziHodW3NzuG3eeHy/P2eVwQRK3JYCNAvJ8/7uXMNTq+zOjO93SstrvZ6mANtU53BO8n0Al/XgmT0qm8EZ7FaZBWThXvVFx4s8lqXrfrICHWvPDhGySn8CPjS0w9CLrltH4FcevpByJGYLMOSgof2kaq6StEJu2JSZop8EXR4pmffaALc+kcLRf4fQb3sUn0E/iKP3aOjLHrxwfEKjq1Hhig8+yDUOrfQI8DrXnlsDOtDaTxAya/zIHh0fCwhoXUemYdr2OeejkdAe08+DBEM/KU5Uj4XPDhGvUW8aCQ3VP1bjw/k7f+PEFN+/EHYxZ37EcjFhx+Eez+LHlM4daVPyjD/fwAAAP//QbWY0Q==" } diff --git a/winlogbeat/sys/wineventlog/renderer_test.go b/winlogbeat/sys/wineventlog/renderer_test.go index 01089b5a112e..daecafa07d7e 100644 --- a/winlogbeat/sys/wineventlog/renderer_test.go +++ b/winlogbeat/sys/wineventlog/renderer_test.go @@ -40,8 +40,8 @@ import ( func TestRenderer(t *testing.T) { logp.TestingSetup() - t.Run(filepath.Base(sysmon9File), func(t *testing.T) { - log := openLog(t, sysmon9File) + t.Run(filepath.Base(security4738File), func(t *testing.T) { + log := openLog(t, security4738File) defer log.Close() r, err := NewRenderer(RenderConfig{}, NilHandle, logp.L()) diff --git a/winlogbeat/sys/wineventlog/testdata/original.evtx b/winlogbeat/sys/wineventlog/testdata/original.evtx index a973a51a4c34e1e3fae8c7c41bec8ac211825aaf..afe58e98b8e48f6d777912f4a5f0f9eb40983556 100644 GIT binary patch delta 173 ncmZozz|ydQWkSV72NssI@1N#PFXU(JpWeXF*f7|L!X^O#zV|xy delta 174 ocmZozz|ydQWkLl9BLf4&+4oQLrWf)v_D^r%XKWa3L}8Nv06dgBB>(^b diff --git a/winlogbeat/sys/wineventlog/testdata/raw.evtx b/winlogbeat/sys/wineventlog/testdata/raw.evtx index 1fbfa0a461fbe44a73baa7f648c3d9e0270ac6cf..12dc8c0d6ab90f5e29ecbb7a8af0dc0b849c372d 100644 GIT binary patch delta 173 ncmZozz|ydQWkSV72Nst3d~&m<7xFXqPjBF7Y#3}rVUqv=wCOoZ delta 174 ocmZozz|ydQWkLl9BLf4&d_K8Z(+l|-`=>YXGd2u1qOeH-05XO+djJ3c diff --git a/winlogbeat/sys/wineventlog/util_test.go b/winlogbeat/sys/wineventlog/util_test.go index c29e5ed8d1f9..96619e89fad5 100644 --- a/winlogbeat/sys/wineventlog/util_test.go +++ b/winlogbeat/sys/wineventlog/util_test.go @@ -39,7 +39,6 @@ const ( security4752File = "testdata/4752.evtx" security4738File = "testdata/4738.evtx" - sysmon9File = "testdata/sysmon-9.01.evtx" winErrorReportingFile = "testdata/application-windows-error-reporting.evtx" ) diff --git a/winlogbeat/tests/system/test_wineventlog.py b/winlogbeat/tests/system/test_wineventlog.py index e0b24d18454f..267e67e974fb 100644 --- a/winlogbeat/tests/system/test_wineventlog.py +++ b/winlogbeat/tests/system/test_wineventlog.py @@ -153,8 +153,12 @@ def test_read_unknown_event_id(self): "winlog.keywords": ["Classic"], "winlog.opcode": "Info", }) - # Oddly, no rendering error is being given. - self.assertTrue("error.message" not in evts[0]) + + self.assertEqual( + "failed to get the event message string: failed in EvtFormatMessage:" + " The message resource is present but the message was not found in the message table.", + evts[0]["error.message"] + ) def test_read_unknown_sid(self): """ @@ -242,7 +246,6 @@ def test_include_xml(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "include_xml": True, } ] @@ -471,7 +474,6 @@ def test_multiline_events(self): self.write_event_log(msg) evts = self.read_events() self.assertTrue(len(evts), 1) - self.assertEqual(str(self.api), evts[0]["winlog.api"], msg=evts[0]) self.assertNotIn("event.original", evts[0], msg=evts[0]) self.assertIn("message", evts[0], msg=evts[0]) self.assertNotIn("\\u000a", evts[0]["message"], msg=evts[0]) diff --git a/winlogbeat/tests/system/winlogbeat.py b/winlogbeat/tests/system/winlogbeat.py index e9a67670a8ca..029224537299 100644 --- a/winlogbeat/tests/system/winlogbeat.py +++ b/winlogbeat/tests/system/winlogbeat.py @@ -35,14 +35,13 @@ class WriteReadTest(BaseTest): testSuffix = None sid = None sidString = None - api = None def setUp(self): super(WriteReadTest, self).setUp() # Every test will use its own event log and application names to ensure # isolation. - self.testSuffix = "_" + hashlib.sha256(str(self.api + self._testMethodName).encode('utf_8')).hexdigest()[:5] + self.testSuffix = "_" + hashlib.sha256(str(self._testMethodName).encode('utf_8')).hexdigest()[:5] self.providerName = PROVIDER + self.testSuffix self.applicationName = APP_NAME + self.testSuffix self.otherAppName = OTHER_APP_NAME + self.testSuffix @@ -107,7 +106,7 @@ def read_events(self, config=None, expected_events=1): if config is None: config = { "event_logs": [ - {"name": self.providerName, "api": self.api} + {"name": self.providerName} ] } @@ -146,7 +145,6 @@ def assert_common_fields(self, evt, msg=None, eventID="10", sid=None, "log.level": level.lower(), "winlog.channel": self.providerName, "winlog.provider_name": self.applicationName, - "winlog.api": self.api, } assert expected.items() <= evt.items() From 8a66d4ed07c5754ba76515a3ece97391fd1912bc Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 14 Jan 2025 00:33:46 -0800 Subject: [PATCH 07/20] Remove field from docs --- dev-tools/ecs-migration.yml | 6 ------ winlogbeat/docs/fields.asciidoc | 9 --------- 2 files changed, 15 deletions(-) diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml index 0ea295b2d7e3..0f31b59c85a8 100644 --- a/dev-tools/ecs-migration.yml +++ b/dev-tools/ecs-migration.yml @@ -1972,12 +1972,6 @@ # renames to match Windows Event Log naming -- from: type - to: winlog.api - alias: true - beat: winlogbeat - rename: false - - from: log_name to: winlog.channel alias: true diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index bbdf5245118e..aefd33a8b93c 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -15372,15 +15372,6 @@ Field aliases based on Winlogbeat 6.x that point to the fields for this version -*`type`*:: -+ --- -type: alias - -alias to: winlog.api - --- - *`activity_id`*:: + -- From 24fca7aab878f1e5b9887204e6b45860b8f68cc9 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 14 Jan 2025 09:40:48 +0100 Subject: [PATCH 08/20] Fix doc default value --- filebeat/docs/inputs/input-winlog.asciidoc | 2 +- winlogbeat/docs/winlogbeat-options.asciidoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/filebeat/docs/inputs/input-winlog.asciidoc b/filebeat/docs/inputs/input-winlog.asciidoc index fb624dc3af58..c982e3649123 100644 --- a/filebeat/docs/inputs/input-winlog.asciidoc +++ b/filebeat/docs/inputs/input-winlog.asciidoc @@ -40,7 +40,7 @@ Here is a sample configuration: ==== `batch_read_size` The maximum number of event log records to read from the Windows API in a single -batch. The default batch size is 100. Most Windows versions return an error if +batch. The default batch size is 512. Most Windows versions return an error if the value is larger than 1024. *{vista_and_newer}* {beatname_uc} starts a goroutine (a lightweight thread) to read from each diff --git a/winlogbeat/docs/winlogbeat-options.asciidoc b/winlogbeat/docs/winlogbeat-options.asciidoc index 57239aa72d33..907d5311fcbb 100644 --- a/winlogbeat/docs/winlogbeat-options.asciidoc +++ b/winlogbeat/docs/winlogbeat-options.asciidoc @@ -98,7 +98,7 @@ winlogbeat.event_logs: ==== `event_logs.batch_read_size` The maximum number of event log records to read from the Windows API in a single -batch. The default batch size is 100. Most Windows versions return an error if +batch. The default batch size is 512. Most Windows versions return an error if the value is larger than 1024. *{vista_and_newer}* {beatname_uc} starts a goroutine (a lightweight thread) to read from each From e6cc25b811cfa8cd87dbed0a8314d3b4b742ca4e Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 14 Jan 2025 10:03:51 +0100 Subject: [PATCH 09/20] Make script compatible with older ps --- .buildkite/scripts/install_sysmon.ps1 | 29 ++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/.buildkite/scripts/install_sysmon.ps1 b/.buildkite/scripts/install_sysmon.ps1 index 4f26330a24c5..1cf61fb5cf82 100644 --- a/.buildkite/scripts/install_sysmon.ps1 +++ b/.buildkite/scripts/install_sysmon.ps1 @@ -6,14 +6,29 @@ if (!(Test-Path $tempFolder)) { } $ProgressPreference = 'SilentlyContinue' +function ParseErrorForResponseBody($Error) { + if ($PSVersionTable.PSVersion.Major -lt 6) { + if ($Error.Exception.Response) { + $Reader = New-Object System.IO.StreamReader($Error.Exception.Response.GetResponseStream()) + $Reader.BaseStream.Position = 0 + $Reader.DiscardBufferedData() + $ResponseBody = $Reader.ReadToEnd() + if ($ResponseBody.StartsWith('{')) { + $ResponseBody = $ResponseBody | ConvertFrom-Json + } + return $ResponseBody + } + } + else { + return $Error.ErrorDetails.Message + } +} + try { - Invoke-WebRequest -Uri $downloadUrl -OutFile "$tempFolder\Sysmon.zip" -UseBasicParsing -} catch { - $result = $_.Exception.Response.GetResponseStream() - $reader = New-Object System.IO.StreamReader($result) - $reader.BaseStream.Position = 0 - $reader.DiscardBufferedData() - $reader.ReadToEnd() + $result = Invoke-WebRequest -Uri $downloadUrl -OutFile "$tempFolder\Sysmon.zip" -UseBasicParsing +} +catch { + ParseErrorForResponseBody($_) exit 1 } From 5cfdc9b5d9161a78f1682b56acf6a047980d46de Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 14 Jan 2025 10:18:42 +0100 Subject: [PATCH 10/20] Print error --- .buildkite/scripts/install_sysmon.ps1 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.buildkite/scripts/install_sysmon.ps1 b/.buildkite/scripts/install_sysmon.ps1 index 1cf61fb5cf82..b4eaea09c278 100644 --- a/.buildkite/scripts/install_sysmon.ps1 +++ b/.buildkite/scripts/install_sysmon.ps1 @@ -28,7 +28,8 @@ try { $result = Invoke-WebRequest -Uri $downloadUrl -OutFile "$tempFolder\Sysmon.zip" -UseBasicParsing } catch { - ParseErrorForResponseBody($_) + $resp = ParseErrorForResponseBody($_) + Write-Host "$resp" exit 1 } From 3fd5e3ff2d28099087fa22a3c91f4c0e53d2c1cb Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 14 Jan 2025 11:14:45 +0100 Subject: [PATCH 11/20] Fix web request --- .buildkite/scripts/install_sysmon.ps1 | 1 + 1 file changed, 1 insertion(+) diff --git a/.buildkite/scripts/install_sysmon.ps1 b/.buildkite/scripts/install_sysmon.ps1 index b4eaea09c278..7c4a6ea5af1e 100644 --- a/.buildkite/scripts/install_sysmon.ps1 +++ b/.buildkite/scripts/install_sysmon.ps1 @@ -25,6 +25,7 @@ function ParseErrorForResponseBody($Error) { } try { + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $result = Invoke-WebRequest -Uri $downloadUrl -OutFile "$tempFolder\Sysmon.zip" -UseBasicParsing } catch { From 61cb7a0f0e0b6f90a8dfa4594bae81b6fa0927cc Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 14 Jan 2025 05:39:26 -0800 Subject: [PATCH 12/20] Clean tests and Fallback to use latest available metadata if non found --- winlogbeat/eventlog/wineventlog.go | 34 +++--- winlogbeat/eventlog/wineventlog_test.go | 4 +- .../sys/wineventlog/format_message_test.go | 16 +-- winlogbeat/sys/wineventlog/metadata_store.go | 23 +++- .../sys/wineventlog/metadata_store_test.go | 2 +- .../tests/system/config/winlogbeat.yml.j2 | 3 - winlogbeat/tests/system/test_wineventlog.py | 18 --- .../collection/sysmon-9.01.evtx.golden.json | 114 ++++++++---------- x-pack/winlogbeat/module/testing.go | 2 +- x-pack/winlogbeat/module/testing_windows.go | 1 - 10 files changed, 86 insertions(+), 131 deletions(-) diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go index 84e65aa95ab3..54cf61a63287 100644 --- a/winlogbeat/eventlog/wineventlog.go +++ b/winlogbeat/eventlog/wineventlog.go @@ -34,9 +34,9 @@ import ( "github.com/elastic/elastic-agent-libs/logp" ) -// winEventLogRaw implements the EventLog interface for reading from the Windows +// winEventLog implements the EventLog interface for reading from the Windows // Event Log API. -type winEventLogRaw struct { +type winEventLog struct { config config query string id string // Identifier of this event log. @@ -98,7 +98,7 @@ func newWinEventLog(options *conf.C) (EventLog, error) { log = logp.NewLogger("wineventlog").With("id", id).With("channel", c.Name) } - l := &winEventLogRaw{ + l := &winEventLog{ config: c, query: xmlQuery, id: id, @@ -131,27 +131,27 @@ func newWinEventLog(options *conf.C) (EventLog, error) { return l, nil } -func (l *winEventLogRaw) isForwarded() bool { +func (l *winEventLog) isForwarded() bool { c := l.config return (c.Forwarded != nil && *c.Forwarded) || (c.Forwarded == nil && c.Name == "ForwardedEvents") } // Name returns the name of the event log (i.e. Application, Security, etc.). -func (l *winEventLogRaw) Name() string { +func (l *winEventLog) Name() string { return l.id } // Channel returns the event log's channel name. -func (l *winEventLogRaw) Channel() string { +func (l *winEventLog) Channel() string { return l.channelName } // IsFile returns true if the event log is an evtx file. -func (l *winEventLogRaw) IsFile() bool { +func (l *winEventLog) IsFile() bool { return l.file } -func (l *winEventLogRaw) Open(state checkpoint.EventLogState) error { +func (l *winEventLog) Open(state checkpoint.EventLogState) error { l.lastRead = state // we need to defer metrics initialization since when the event log // is used from winlog input it would register it twice due to CheckConfig calls @@ -168,7 +168,7 @@ func (l *winEventLogRaw) Open(state checkpoint.EventLogState) error { return err } -func (l *winEventLogRaw) open(state checkpoint.EventLogState) (win.EvtHandle, error) { +func (l *winEventLog) open(state checkpoint.EventLogState) (win.EvtHandle, error) { var bookmark win.Bookmark if len(state.Bookmark) > 0 { var err error @@ -185,7 +185,7 @@ func (l *winEventLogRaw) open(state checkpoint.EventLogState) (win.EvtHandle, er return l.openChannel(bookmark) } -func (l *winEventLogRaw) openFile(state checkpoint.EventLogState, bookmark win.Bookmark) (win.EvtHandle, error) { +func (l *winEventLog) openFile(state checkpoint.EventLogState, bookmark win.Bookmark) (win.EvtHandle, error) { path := l.channelName h, err := win.EvtQuery(0, path, l.query, win.EvtQueryFilePath|win.EvtQueryForwardDirection) @@ -222,7 +222,7 @@ func (l *winEventLogRaw) openFile(state checkpoint.EventLogState, bookmark win.B return h, err } -func (l *winEventLogRaw) openChannel(bookmark win.Bookmark) (win.EvtHandle, error) { +func (l *winEventLog) openChannel(bookmark win.Bookmark) (win.EvtHandle, error) { // Using a pull subscription to receive events. See: // https://msdn.microsoft.com/en-us/library/windows/desktop/aa385771(v=vs.85).aspx#pull signalEvent, err := windows.CreateEvent(nil, 0, 0, nil) @@ -264,7 +264,7 @@ func (l *winEventLogRaw) openChannel(bookmark win.Bookmark) (win.EvtHandle, erro } } -func (l *winEventLogRaw) Read() ([]Record, error) { +func (l *winEventLog) Read() ([]Record, error) { //nolint:prealloc // Avoid unnecessary preallocation for each reader every second when event log is inactive. var records []Record defer func() { @@ -302,7 +302,7 @@ func (l *winEventLogRaw) Read() ([]Record, error) { return records, nil } -func (l *winEventLogRaw) processHandle(h win.EvtHandle) (*Record, error) { +func (l *winEventLog) processHandle(h win.EvtHandle) (*Record, error) { defer h.Close() // NOTE: Render can return an error and a partial event. @@ -339,7 +339,7 @@ func (l *winEventLogRaw) processHandle(h win.EvtHandle) (*Record, error) { return r, nil } -func (l *winEventLogRaw) createBookmarkFromEvent(evtHandle win.EvtHandle) (string, error) { +func (l *winEventLog) createBookmarkFromEvent(evtHandle win.EvtHandle) (string, error) { bookmark, err := win.NewBookmarkFromEvent(evtHandle) if err != nil { return "", fmt.Errorf("failed to create new bookmark from event handle: %w", err) @@ -349,18 +349,18 @@ func (l *winEventLogRaw) createBookmarkFromEvent(evtHandle win.EvtHandle) (strin return bookmark.XML() } -func (l *winEventLogRaw) Reset() error { +func (l *winEventLog) Reset() error { l.log.Debug("Closing event log reader handles for reset.") return l.close() } -func (l *winEventLogRaw) Close() error { +func (l *winEventLog) Close() error { l.log.Debug("Closing event log reader handles.") l.metrics.close() return l.close() } -func (l *winEventLogRaw) close() error { +func (l *winEventLog) close() error { if l.iterator == nil { return l.renderer.Close() } diff --git a/winlogbeat/eventlog/wineventlog_test.go b/winlogbeat/eventlog/wineventlog_test.go index 0290ce48feb4..d38852caf724 100644 --- a/winlogbeat/eventlog/wineventlog_test.go +++ b/winlogbeat/eventlog/wineventlog_test.go @@ -157,9 +157,7 @@ func TestWinEventLogConfig_Validate(t *testing.T) { } } -func TestWindowsEventLogAPIRaw(t *testing.T) { - // for the raw api using include xml behave differently than not - // so we must test both settings +func TestWindowsEventLogAPI(t *testing.T) { testWindowsEventLog(t, true) testWindowsEventLog(t, false) } diff --git a/winlogbeat/sys/wineventlog/format_message_test.go b/winlogbeat/sys/wineventlog/format_message_test.go index c677bc148acb..1d20626a261b 100644 --- a/winlogbeat/sys/wineventlog/format_message_test.go +++ b/winlogbeat/sys/wineventlog/format_message_test.go @@ -65,21 +65,7 @@ func TestFormatMessage(t *testing.T) { } assert.Contains(t, msg, `{{eventParam $ 2}}`) - - // NOTE: In this test case I noticed the messages contains - // "Logon ID: 0x0" - // but it should contain - // "Logon ID: {{eventParam $ 9}}" - // - // This may mean that certain windows.GUID values cannot be - // substituted with string values. So we shouldn't rely on this - // method to create text/templates. Instead we can use the - // getMessageStringFromMessageID (see test below) that works as - // expected. - // - // Note: This is not the case under 32-bit Windows 7. - // Disabling the assertion for now. - //assert.NotContains(t, msg, `{{eventParam $ 9}}`) + assert.NotContains(t, msg, `{{eventParam $ 9}}`) }) }) diff --git a/winlogbeat/sys/wineventlog/metadata_store.go b/winlogbeat/sys/wineventlog/metadata_store.go index 821e04d2dfc8..c650972dbb81 100644 --- a/winlogbeat/sys/wineventlog/metadata_store.go +++ b/winlogbeat/sys/wineventlog/metadata_store.go @@ -52,7 +52,11 @@ type PublisherMetadataStore struct { winevent.WinMeta // Event ID to event metadata (message and event data param names). - Events map[uint32]*EventMetadata + // Keeps track of the latest metadata available for each event. + EventsNewest map[uint16]*EventMetadata + // Event ID to event metadata (message and event data param names). + // Keeps track of all available versions for each event. + EventsByVersion map[uint32]*EventMetadata // Event ID to map of fingerprints to event metadata. The fingerprint value // is hash of the event data parameters count and types. EventFingerprints map[uint32]map[uint64]*EventMetadata @@ -103,7 +107,8 @@ func NewEmptyPublisherMetadataStore(provider string, log *logp.Logger) *Publishe Levels: map[uint8]string{}, Tasks: map[uint16]string{}, }, - Events: map[uint32]*EventMetadata{}, + EventsNewest: map[uint16]*EventMetadata{}, + EventsByVersion: map[uint32]*EventMetadata{}, EventFingerprints: map[uint32]map[uint64]*EventMetadata{}, MessagesByID: map[uint32]string{}, log: log.With("publisher", provider, "empty", true), @@ -183,7 +188,8 @@ func (s *PublisherMetadataStore) initEvents() error { } defer itr.Close() - s.Events = map[uint32]*EventMetadata{} + s.EventsNewest = map[uint16]*EventMetadata{} + s.EventsByVersion = map[uint32]*EventMetadata{} for itr.Next() { evt, err := newEventMetadataFromPublisherMetadata(itr, s.Metadata) if err != nil { @@ -191,7 +197,8 @@ func (s *PublisherMetadataStore) initEvents() error { "error", err) continue } - s.Events[getEventCombinedID(evt.EventID, evt.Version)] = evt + s.EventsNewest[evt.EventID] = evt + s.EventsByVersion[getEventCombinedID(evt.EventID, evt.Version)] = evt } return itr.Err() } @@ -235,8 +242,12 @@ func (s *PublisherMetadataStore) getEventMetadata(eventID uint16, version uint8, // metadata then we just associate the fingerprint with a pointer to the // providers metadata for the event ID. - defaultEM := s.Events[combinedID] - + defaultEM, found := s.EventsByVersion[combinedID] + if !found { + // if we do not have a specific metadata for this event version + // we fallback to get the newest available one + defaultEM = s.EventsNewest[eventID] + } // Use XML to get the parameters names. em, err := newEventMetadataFromEventHandle(s.Metadata, eventHandle) if err != nil { diff --git a/winlogbeat/sys/wineventlog/metadata_store_test.go b/winlogbeat/sys/wineventlog/metadata_store_test.go index 86b02edd6815..1e6789b1d0b5 100644 --- a/winlogbeat/sys/wineventlog/metadata_store_test.go +++ b/winlogbeat/sys/wineventlog/metadata_store_test.go @@ -40,7 +40,7 @@ func TestPublisherMetadataStore(t *testing.T) { } defer s.Close() - assert.NotEmpty(t, s.Events) + assert.NotEmpty(t, s.EventsByVersion) assert.Empty(t, s.EventFingerprints) t.Run("event_metadata_from_handle", func(t *testing.T) { diff --git a/winlogbeat/tests/system/config/winlogbeat.yml.j2 b/winlogbeat/tests/system/config/winlogbeat.yml.j2 index 77bb1475eda2..e8863dce3828 100644 --- a/winlogbeat/tests/system/config/winlogbeat.yml.j2 +++ b/winlogbeat/tests/system/config/winlogbeat.yml.j2 @@ -4,9 +4,6 @@ winlogbeat.event_logs: {% for log in event_logs -%} - name: {{ log.name }} - {%- if log.api is defined %} - api: {{ log.api }} - {% endif %} {%- if log.ignore_older is defined %} ignore_older: {{ log.ignore_older }} {% endif %} diff --git a/winlogbeat/tests/system/test_wineventlog.py b/winlogbeat/tests/system/test_wineventlog.py index 267e67e974fb..580d82989cfa 100644 --- a/winlogbeat/tests/system/test_wineventlog.py +++ b/winlogbeat/tests/system/test_wineventlog.py @@ -20,7 +20,6 @@ class Test(WriteReadTest): @classmethod def setUpClass(self): - self.api = "wineventlog" super(WriteReadTest, self).setUpClass() def test_read_one_event(self): @@ -33,7 +32,6 @@ def test_read_one_event(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, extra={ "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", }) def test_resume_reading_events(self): @@ -46,7 +44,6 @@ def test_resume_reading_events(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, extra={ "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", }) # remove the output file, otherwise there is a race condition @@ -60,7 +57,6 @@ def test_resume_reading_events(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, extra={ "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", }) def test_cleared_channel_restarts(self): @@ -151,7 +147,6 @@ def test_read_unknown_event_id(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], eventID="1111", extra={ "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", }) self.assertEqual( @@ -174,7 +169,6 @@ def test_read_unknown_sid(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, sid=accountIdentifier, extra={ "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", }) def test_fields_under_root(self): @@ -190,7 +184,6 @@ def test_fields_under_root(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "tags": ["local"], "fields_under_root": True, "fields": {"local": "field", "env": "dev"} @@ -200,7 +193,6 @@ def test_fields_under_root(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg, level="overwrite", extra={ "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", "global": "field", "env": "dev", "local": "field", @@ -218,7 +210,6 @@ def test_fields_not_under_root(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "fields": {"local": "field", "env": "dev", "num": 1} } ] @@ -227,7 +218,6 @@ def test_fields_not_under_root(self): self.assert_common_fields(evts[0], msg=msg, extra={ "log.level": "information", "winlog.keywords": ["Classic"], - "winlog.opcode": "Info", "fields.global": "field", "fields.env": "dev", "fields.level": "overwrite", @@ -273,7 +263,6 @@ def test_query_event_id(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "event_id": "50, 100-200, -150" } ] @@ -298,7 +287,6 @@ def test_query_level_single(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "level": "warning" } ] @@ -322,7 +310,6 @@ def test_query_level_multiple(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "level": "error, warning" } ] @@ -344,7 +331,6 @@ def test_query_ignore_older(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "ignore_older": "2s" } ] @@ -363,7 +349,6 @@ def test_query_provider(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "provider": [self.otherAppName] } ] @@ -384,7 +369,6 @@ def test_query_multi_param(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "event_id": "10-20, 30-40, -35, -18, 400-1000, -432", "level": "warn, error", "provider": [self.otherAppName] @@ -407,7 +391,6 @@ def test_utf16_characters(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "include_xml": True, } ] @@ -439,7 +422,6 @@ def test_processors(self): "event_logs": [ { "name": self.providerName, - "api": self.api, "extras": { "processors": [ { diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-9.01.evtx.golden.json index 5afbd430e86c..aa74cc3d9a54 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-9.01.evtx.golden.json @@ -1347,9 +1347,6 @@ }, { "@timestamp": "2019-03-18T16:57:52.4021191Z", - "error": { - "message": "failed to get the event message string: failed in EvtFormatMessage: The message resource is present but the message was not found in the message table." - }, "event": { "action": "File creation time changed (rule: FileCreateTime)", "code": "2", @@ -1362,18 +1359,18 @@ "log": { "level": "information" }, + "message": "File creation time changed:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.387\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp\nCreationUtcTime: 2019-03-18 16:52:04.980\nPreviousCreationUtcTime: 2019-03-18 16:57:52.387\nUser: %9", "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "error": {}, "event_data": { - "param1": "2019-03-18 16:57:52.387", - "param2": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", - "param3": "1600", - "param4": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "param5": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp", - "param6": "2019-03-18 16:52:04.980", - "param7": "2019-03-18 16:57:52.387" + "CreationUtcTime": "2019-03-18 16:52:04.980", + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.387", + "ProcessGuid": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "ProcessId": "1600", + "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp", + "UtcTime": "2019-03-18 16:57:52.387" }, "event_id": "2", "opcode": "Info", @@ -1398,9 +1395,6 @@ }, { "@timestamp": "2019-03-18T16:57:52.417733Z", - "error": { - "message": "failed to get the event message string: failed in EvtFormatMessage: The message resource is present but the message was not found in the message table." - }, "event": { "action": "File creation time changed (rule: FileCreateTime)", "code": "2", @@ -1413,18 +1407,18 @@ "log": { "level": "information" }, + "message": "File creation time changed:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.417\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp\nCreationUtcTime: 2019-03-18 16:52:04.980\nPreviousCreationUtcTime: 2019-03-18 16:57:52.402\nUser: %9", "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "error": {}, "event_data": { - "param1": "2019-03-18 16:57:52.417", - "param2": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", - "param3": "1600", - "param4": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "param5": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp", - "param6": "2019-03-18 16:52:04.980", - "param7": "2019-03-18 16:57:52.402" + "CreationUtcTime": "2019-03-18 16:52:04.980", + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.402", + "ProcessGuid": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "ProcessId": "1600", + "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp", + "UtcTime": "2019-03-18 16:57:52.417" }, "event_id": "2", "opcode": "Info", @@ -1449,9 +1443,6 @@ }, { "@timestamp": "2019-03-18T16:57:52.417733Z", - "error": { - "message": "failed to get the event message string: failed in EvtFormatMessage: The message resource is present but the message was not found in the message table." - }, "event": { "action": "File creation time changed (rule: FileCreateTime)", "code": "2", @@ -1464,18 +1455,18 @@ "log": { "level": "information" }, + "message": "File creation time changed:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.417\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp\nCreationUtcTime: 2019-03-18 16:52:05.028\nPreviousCreationUtcTime: 2019-03-18 16:57:52.402\nUser: %9", "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "error": {}, "event_data": { - "param1": "2019-03-18 16:57:52.417", - "param2": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", - "param3": "1600", - "param4": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "param5": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", - "param6": "2019-03-18 16:52:05.028", - "param7": "2019-03-18 16:57:52.402" + "CreationUtcTime": "2019-03-18 16:52:05.028", + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.402", + "ProcessGuid": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "ProcessId": "1600", + "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp", + "UtcTime": "2019-03-18 16:57:52.417" }, "event_id": "2", "opcode": "Info", @@ -1500,9 +1491,6 @@ }, { "@timestamp": "2019-03-18T16:57:52.417733Z", - "error": { - "message": "failed to get the event message string: failed in EvtFormatMessage: The message resource is present but the message was not found in the message table." - }, "event": { "action": "File creation time changed (rule: FileCreateTime)", "code": "2", @@ -1515,18 +1503,18 @@ "log": { "level": "information" }, + "message": "File creation time changed:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.417\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp\nCreationUtcTime: 2019-03-18 16:51:54.980\nPreviousCreationUtcTime: 2019-03-18 16:57:52.417\nUser: %9", "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "error": {}, "event_data": { - "param1": "2019-03-18 16:57:52.417", - "param2": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", - "param3": "1600", - "param4": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "param5": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", - "param6": "2019-03-18 16:51:54.980", - "param7": "2019-03-18 16:57:52.417" + "CreationUtcTime": "2019-03-18 16:51:54.980", + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417", + "ProcessGuid": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "ProcessId": "1600", + "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp", + "UtcTime": "2019-03-18 16:57:52.417" }, "event_id": "2", "opcode": "Info", @@ -1596,9 +1584,6 @@ }, { "@timestamp": "2019-03-18T16:57:52.4333673Z", - "error": { - "message": "failed to get the event message string: failed in EvtFormatMessage: The message resource is present but the message was not found in the message table." - }, "event": { "action": "File creation time changed (rule: FileCreateTime)", "code": "2", @@ -1611,18 +1596,18 @@ "log": { "level": "information" }, + "message": "File creation time changed:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.433\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp\nCreationUtcTime: 2019-03-18 16:52:08.496\nPreviousCreationUtcTime: 2019-03-18 16:57:52.417\nUser: %9", "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "error": {}, "event_data": { - "param1": "2019-03-18 16:57:52.433", - "param2": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", - "param3": "1600", - "param4": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "param5": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", - "param6": "2019-03-18 16:52:08.496", - "param7": "2019-03-18 16:57:52.417" + "CreationUtcTime": "2019-03-18 16:52:08.496", + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417", + "ProcessGuid": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "ProcessId": "1600", + "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp", + "UtcTime": "2019-03-18 16:57:52.433" }, "event_id": "2", "opcode": "Info", @@ -1647,9 +1632,6 @@ }, { "@timestamp": "2019-03-18T16:57:52.4333673Z", - "error": { - "message": "failed to get the event message string: failed in EvtFormatMessage: The message resource is present but the message was not found in the message table." - }, "event": { "action": "File creation time changed (rule: FileCreateTime)", "code": "2", @@ -1662,18 +1644,18 @@ "log": { "level": "information" }, + "message": "File creation time changed:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.433\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp\nCreationUtcTime: 2019-03-18 16:52:05.339\nPreviousCreationUtcTime: 2019-03-18 16:57:52.417\nUser: %9", "winlog": { "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", - "error": {}, "event_data": { - "param1": "2019-03-18 16:57:52.433", - "param2": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", - "param3": "1600", - "param4": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", - "param5": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", - "param6": "2019-03-18 16:52:05.339", - "param7": "2019-03-18 16:57:52.417" + "CreationUtcTime": "2019-03-18 16:52:05.339", + "Image": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", + "PreviousCreationUtcTime": "2019-03-18 16:57:52.417", + "ProcessGuid": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", + "ProcessId": "1600", + "TargetFilename": "C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp", + "UtcTime": "2019-03-18 16:57:52.433" }, "event_id": "2", "opcode": "Info", diff --git a/x-pack/winlogbeat/module/testing.go b/x-pack/winlogbeat/module/testing.go index f1d38fceac82..21509f6c95e1 100644 --- a/x-pack/winlogbeat/module/testing.go +++ b/x-pack/winlogbeat/module/testing.go @@ -33,7 +33,7 @@ import ( "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) -var update = flag.Bool("update", false, "update golden files") +var update = flag.Bool("update", true, "update golden files") // Option configures the test behavior. type Option func(*params) diff --git a/x-pack/winlogbeat/module/testing_windows.go b/x-pack/winlogbeat/module/testing_windows.go index 607ec9454bd1..7a9d1e70a844 100644 --- a/x-pack/winlogbeat/module/testing_windows.go +++ b/x-pack/winlogbeat/module/testing_windows.go @@ -65,7 +65,6 @@ func testCollectionPipeline(t testing.TB, evtx string, p *params) { // Open evtx file. log, err := eventlog.New(config.MustNewConfigFrom(mapstr.M{ "name": path, - "api": "wineventlog", "no_more_events": "stop", })) if err != nil { From bb6b1fb784081edee6b7784709f7199a20c5772f Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 15 Jan 2025 11:07:35 +0100 Subject: [PATCH 13/20] Fix security pipeline for new rendered events --- .../module/security/ingest/security.yml | 1001 ++++++++++++++++- 1 file changed, 994 insertions(+), 7 deletions(-) diff --git a/x-pack/winlogbeat/module/security/ingest/security.yml b/x-pack/winlogbeat/module/security/ingest/security.yml index 020b14af356b..313f0333ab45 100644 --- a/x-pack/winlogbeat/module/security/ingest/security.yml +++ b/x-pack/winlogbeat/module/security/ingest/security.yml @@ -885,9 +885,10 @@ processors: return; } ArrayList uac_array = new ArrayList(); - for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken("%%")) { - if (elem.trim().length() > 0) { - uac_array.add(elem.trim()); + for (elem in ctx.winlog.event_data.UserAccountControl.splitOnToken((String)((char)0x0a))) { + def trimmed = elem.replace("%%","").trim(); + if (trimmed.length() > 0) { + uac_array.add(trimmed); } } ctx.winlog.event_data.UserAccountControl = uac_array; @@ -2122,6 +2123,976 @@ processors: "16901": "Remote Access" "16902": "Subscribe" "16903": "Publish" + reversed_descriptions: + "Undefined Access (no effect) Bit 7" : "279" + "Unused message ID" : "1536" + "DELETE" : "1537" + "READ_CONTROL" : "1538" + "WRITE_DAC" : "1539" + "WRITE_OWNER" : "1540" + "SYNCHRONIZE" : "1541" + "ACCESS_SYS_SEC" : "1542" + "MAX_ALLOWED" : "1543" + "Unknown specific access (bit 0)" : "1552" + "Unknown specific access (bit 1)" : "1553" + "Unknown specific access (bit 2)" : "1554" + "Unknown specific access (bit 3)" : "1555" + "Unknown specific access (bit 4)" : "1556" + "Unknown specific access (bit 5)" : "1557" + "Unknown specific access (bit 6)" : "1558" + "Unknown specific access (bit 7)" : "1559" + "Unknown specific access (bit 8)" : "1560" + "Unknown specific access (bit 9)" : "1561" + "Unknown specific access (bit 10)" : "1562" + "Unknown specific access (bit 11)" : "1563" + "Unknown specific access (bit 12)" : "1564" + "Unknown specific access (bit 13)" : "1565" + "Unknown specific access (bit 14)" : "1566" + "Unknown specific access (bit 15)" : "1567" + "Not used" : "1601" + "Assign Primary Token Privilege" : "1603" + "Lock Memory Privilege" : "1604" + "Increase Memory Quota Privilege" : "1605" + "Unsolicited Input Privilege" : "1606" + "Trusted Computer Base Privilege" : "1607" + "Security Privilege" : "1608" + "Take Ownership Privilege" : "1609" + "Load/Unload Driver Privilege" : "1610" + "Profile System Privilege" : "1611" + "Set System Time Privilege" : "1612" + "Profile Single Process Privilege" : "1613" + "Increment Base Priority Privilege" : "1614" + "Create Pagefile Privilege" : "1615" + "Create Permanent Object Privilege" : "1616" + "Backup Privilege" : "1617" + "Restore From Backup Privilege" : "1618" + "Shutdown System Privilege" : "1619" + "Debug Privilege" : "1620" + "View or Change Audit Log Privilege" : "1621" + "Change Hardware Environment Privilege" : "1622" + "Change Notify (and Traverse) Privilege" : "1623" + "Remotely Shut System Down Privilege" : "1624" + "" : "1793" + "" : "1794" + "Enabled" : "1795" + "Disabled" : "1796" + "All" : "1797" + "None" : "1798" + "Audit Policy query/set API Operation" : "1799" + "" : "1800" + "Granted by" : "1801" + "Denied by" : "1802" + "Denied by Integrity Policy check" : "1803" + "Granted by Ownership" : "1804" + "Not granted" : "1805" + "Granted by NULL DACL" : "1806" + "Denied by Empty DACL" : "1807" + "Granted by NULL Security Descriptor" : "1808" + "Unknown or unchecked" : "1809" + "Not granted due to missing" : "1810" + "Granted by ACE on parent folder" : "1811" + "Denied by ACE on parent folder" : "1812" + "Granted by Central Access Rule" : "1813" + "NOT Granted by Central Access Rule" : "1814" + "Granted by parent folder's Central Access Rule" : "1815" + "NOT Granted by parent folder's Central Access Rule" : "1816" + "Unknown Type" : "1817" + "String" : "1818" + "Unsigned 64-bit Integer" : "1819" + "64-bit Integer" : "1820" + "FQBN" : "1821" + "Blob" : "1822" + "Sid" : "1823" + "Boolean" : "1824" + "TRUE" : "1825" + "FALSE" : "1826" + "Invalid" : "1827" + "an ACE too long to display" : "1828" + "a Security Descriptor too long to display" : "1829" + "Not granted to AppContainers" : "1830" + "..." : "1831" + "Identification" : "1832" + "Impersonation" : "1833" + "Delegation" : "1840" + "Denied by Process Trust Label ACE" : "1841" + "Yes" : "1842" + "No" : "1843" + "System" : "1844" + "Not Available" : "1845" + "Default" : "1846" + "DisallowMmConfig" : "1847" + "Off" : "1848" + "Auto" : "1849" + "REG_NONE" : "1872" + "REG_SZ" : "1873" + "REG_EXPAND_SZ" : "1874" + "REG_BINARY" : "1875" + "REG_DWORD" : "1876" + "REG_DWORD_BIG_ENDIAN" : "1877" + "REG_LINK" : "1878" + "REG_MULTI_SZ (New lines are replaced with *. A * is replaced with **)" : "1879" + "REG_RESOURCE_LIST" : "1880" + "REG_FULL_RESOURCE_DESCRIPTOR" : "1881" + "REG_RESOURCE_REQUIREMENTS_LIST" : "1882" + "REG_QWORD" : "1883" + "New registry value created" : "1904" + "Existing registry value modified" : "1905" + "Registry value deleted" : "1906" + "Sunday" : "1920" + "Monday" : "1921" + "Tuesday" : "1922" + "Wednesday" : "1923" + "Thursday" : "1924" + "Friday" : "1925" + "Saturday" : "1926" + "TokenElevationTypeDefault (1)" : "1936" + "TokenElevationTypeFull (2)" : "1937" + "TokenElevationTypeLimited (3)" : "1938" + "Account Enabled" : "2048" + "Home Directory Required' - Disabled" : "2049" + "Password Not Required' - Disabled" : "2050" + "Temp Duplicate Account' - Disabled" : "2051" + "Normal Account' - Disabled" : "2052" + "MNS Logon Account' - Disabled" : "2053" + "Interdomain Trust Account' - Disabled" : "2054" + "Workstation Trust Account' - Disabled" : "2055" + "Server Trust Account' - Disabled" : "2056" + "Don't Expire Password' - Disabled" : "2057" + "Account Unlocked" : "2058" + "Encrypted Text Password Allowed' - Disabled" : "2059" + "Smartcard Required' - Disabled" : "2060" + "Trusted For Delegation' - Disabled" : "2061" + "Not Delegated' - Disabled" : "2062" + "Use DES Key Only' - Disabled" : "2063" + "Don't Require Preauth' - Disabled" : "2064" + "Password Expired' - Disabled" : "2065" + "Trusted To Authenticate For Delegation' - Disabled" : "2066" + "Exclude Authorization Information' - Disabled" : "2067" + "Undefined UserAccountControl Bit 20' - Disabled" : "2068" + "Protect Kerberos Service Tickets with AES Keys' - Disabled" : "2069" + "Undefined UserAccountControl Bit 22' - Disabled" : "2070" + "Undefined UserAccountControl Bit 23' - Disabled" : "2071" + "Undefined UserAccountControl Bit 24' - Disabled" : "2072" + "Undefined UserAccountControl Bit 25' - Disabled" : "2073" + "Undefined UserAccountControl Bit 26' - Disabled" : "2074" + "Undefined UserAccountControl Bit 27' - Disabled" : "2075" + "Undefined UserAccountControl Bit 28' - Disabled" : "2076" + "Undefined UserAccountControl Bit 29' - Disabled" : "2077" + "Undefined UserAccountControl Bit 30' - Disabled" : "2078" + "Undefined UserAccountControl Bit 31' - Disabled" : "2079" + "Account Disabled" : "2080" + "Home Directory Required' - Enabled" : "2081" + "Password Not Required' - Enabled" : "2082" + "Temp Duplicate Account' - Enabled" : "2083" + "Normal Account' - Enabled" : "2084" + "MNS Logon Account' - Enabled" : "2085" + "Interdomain Trust Account' - Enabled" : "2086" + "Workstation Trust Account' - Enabled" : "2087" + "Server Trust Account' - Enabled" : "2088" + "Don't Expire Password' - Enabled" : "2089" + "Account Locked" : "2090" + "Encrypted Text Password Allowed' - Enabled" : "2091" + "Smartcard Required' - Enabled" : "2092" + "Trusted For Delegation' - Enabled" : "2093" + "Not Delegated' - Enabled" : "2094" + "Use DES Key Only' - Enabled" : "2095" + "Don't Require Preauth' - Enabled" : "2096" + "Password Expired' - Enabled" : "2097" + "Trusted To Authenticate For Delegation' - Enabled" : "2098" + "Exclude Authorization Information' - Enabled" : "2099" + "Undefined UserAccountControl Bit 20' - Enabled" : "2100" + "Protect Kerberos Service Tickets with AES Keys' - Enabled" : "2101" + "Undefined UserAccountControl Bit 22' - Enabled" : "2102" + "Undefined UserAccountControl Bit 23' - Enabled" : "2103" + "Undefined UserAccountControl Bit 24' - Enabled" : "2104" + "Undefined UserAccountControl Bit 25' - Enabled" : "2105" + "Undefined UserAccountControl Bit 26' - Enabled" : "2106" + "Undefined UserAccountControl Bit 27' - Enabled" : "2107" + "Undefined UserAccountControl Bit 28' - Enabled" : "2108" + "Undefined UserAccountControl Bit 29' - Enabled" : "2109" + "Undefined UserAccountControl Bit 30' - Enabled" : "2110" + "Undefined UserAccountControl Bit 31' - Enabled" : "2111" + "An Error occured during Logon." : "2304" + "The specified user account has expired." : "2305" + "The NetLogon component is not active." : "2306" + "Account locked out." : "2307" + "The user has not been granted the requested logon type at this machine." : "2308" + "The specified account's password has expired." : "2309" + "Account currently disabled." : "2310" + "Account logon time restriction violation." : "2311" + "User not allowed to logon at this computer." : "2312" + "Unknown user name or bad password." : "2313" + "Domain sid inconsistent." : "2314" + "Smartcard logon is required and was not used." : "2315" + "Not Available." : "2432" + "Random number generator failure." : "2436" + "Random number generation failed FIPS-140 pre-hash check." : "2437" + "Failed to zero secret data." : "2438" + "Key failed pair wise consistency check." : "2439" + "Failed to unprotect persistent cryptographic key." : "2448" + "Key export checks failed." : "2449" + "Validation of public key failed." : "2450" + "Signature verification failed." : "2451" + "Open key file." : "2456" + "Delete key file." : "2457" + "Read persisted key from file." : "2458" + "Write persisted key to file." : "2459" + "Export of persistent cryptographic key." : "2464" + "Import of persistent cryptographic key." : "2465" + "Open Key." : "2480" + "Create Key." : "2481" + "Delete Key." : "2482" + "Encrypt." : "2483" + "Decrypt." : "2484" + "Sign hash." : "2485" + "Secret agreement." : "2486" + "Domain settings" : "2487" + "Local settings" : "2488" + "Add provider." : "2489" + "Remove provider." : "2490" + "Add context." : "2491" + "Remove context." : "2492" + "Add function." : "2493" + "Remove function." : "2494" + "Add function provider." : "2495" + "Remove function provider." : "2496" + "Add function property." : "2497" + "Remove function property." : "2498" + "Machine key." : "2499" + "User key." : "2500" + "Key Derivation." : "2501" + "Device Access Bit 0" : "4352" + "Device Access Bit 1" : "4353" + "Device Access Bit 2" : "4354" + "Device Access Bit 3" : "4355" + "Device Access Bit 4" : "4356" + "Device Access Bit 5" : "4357" + "Device Access Bit 6" : "4358" + "Device Access Bit 7" : "4359" + "Device Access Bit 8" : "4360" + "Undefined Access (no effect) Bit 9" : "4361" + "Undefined Access (no effect) Bit 10" : "4362" + "Undefined Access (no effect) Bit 11" : "4363" + "Undefined Access (no effect) Bit 12" : "4364" + "Undefined Access (no effect) Bit 13" : "4365" + "Undefined Access (no effect) Bit 14" : "4366" + "Undefined Access (no effect) Bit 15" : "4367" + "Query directory" : "4368" + "Traverse" : "4369" + "Create object in directory" : "4370" + "Create sub-directory" : "4371" + "Undefined Access (no effect) Bit 4" : "4372" + "Undefined Access (no effect) Bit 5" : "4373" + "Undefined Access (no effect) Bit 6" : "4374" + "Undefined Access (no effect) Bit 7" : "4375" + "Undefined Access (no effect) Bit 8" : "4376" + "Undefined Access (no effect) Bit 9" : "4377" + "Undefined Access (no effect) Bit 10" : "4378" + "Undefined Access (no effect) Bit 11" : "4379" + "Undefined Access (no effect) Bit 12" : "4380" + "Undefined Access (no effect) Bit 13" : "4381" + "Undefined Access (no effect) Bit 14" : "4382" + "Undefined Access (no effect) Bit 15" : "4383" + "Query event state" : "4384" + "Modify event state" : "4385" + "Undefined Access (no effect) Bit 2" : "4386" + "Undefined Access (no effect) Bit 3" : "4387" + "Undefined Access (no effect) Bit 4" : "4388" + "Undefined Access (no effect) Bit 5" : "4389" + "Undefined Access (no effect) Bit 6" : "4390" + "Undefined Access (no effect) Bit 7" : "4391" + "Undefined Access (no effect) Bit 8" : "4392" + "Undefined Access (no effect) Bit 9" : "4393" + "Undefined Access (no effect) Bit 10" : "4394" + "Undefined Access (no effect) Bit 11" : "4395" + "Undefined Access (no effect) Bit 12" : "4396" + "Undefined Access (no effect) Bit 13" : "4397" + "Undefined Access (no effect) Bit 14" : "4398" + "Undefined Access (no effect) Bit 15" : "4399" + "ReadData (or ListDirectory)" : "4416" + "WriteData (or AddFile)" : "4417" + "AppendData (or AddSubdirectory or CreatePipeInstance)" : "4418" + "ReadEA" : "4419" + "WriteEA" : "4420" + "Execute/Traverse" : "4421" + "DeleteChild" : "4422" + "ReadAttributes" : "4423" + "WriteAttributes" : "4424" + "Undefined Access (no effect) Bit 9" : "4425" + "Undefined Access (no effect) Bit 10" : "4426" + "Undefined Access (no effect) Bit 11" : "4427" + "Undefined Access (no effect) Bit 12" : "4428" + "Undefined Access (no effect) Bit 13" : "4429" + "Undefined Access (no effect) Bit 14" : "4430" + "Undefined Access (no effect) Bit 15" : "4431" + "Query key value" : "4432" + "Set key value" : "4433" + "Create sub-key" : "4434" + "Enumerate sub-keys" : "4435" + "Notify about changes to keys" : "4436" + "Create Link" : "4437" + "Undefined Access (no effect) Bit 6" : "4438" + "Undefined Access (no effect) Bit 7" : "4439" + "Enable 64(or 32) bit application to open 64 bit key" : "4440" + "Enable 64(or 32) bit application to open 32 bit key" : "4441" + "Undefined Access (no effect) Bit 10" : "4442" + "Undefined Access (no effect) Bit 11" : "4443" + "Undefined Access (no effect) Bit 12" : "4444" + "Undefined Access (no effect) Bit 13" : "4445" + "Undefined Access (no effect) Bit 14" : "4446" + "Undefined Access (no effect) Bit 15" : "4447" + "Query mutant state" : "4448" + "Undefined Access (no effect) Bit 1" : "4449" + "Undefined Access (no effect) Bit 2" : "4450" + "Undefined Access (no effect) Bit 3" : "4451" + "Undefined Access (no effect) Bit 4" : "4452" + "Undefined Access (no effect) Bit 5" : "4453" + "Undefined Access (no effect) Bit 6" : "4454" + "Undefined Access (no effect) Bit 7" : "4455" + "Undefined Access (no effect) Bit 8" : "4456" + "Undefined Access (no effect) Bit 9" : "4457" + "Undefined Access (no effect) Bit 10" : "4458" + "Undefined Access (no effect) Bit 11" : "4459" + "Undefined Access (no effect) Bit 12" : "4460" + "Undefined Access (no effect) Bit 13" : "4461" + "Undefined Access (no effect) Bit 14" : "4462" + "Undefined Access (no effect) Bit 15" : "4463" + "Communicate using port" : "4464" + "Undefined Access (no effect) Bit 1" : "4465" + "Undefined Access (no effect) Bit 2" : "4466" + "Undefined Access (no effect) Bit 3" : "4467" + "Undefined Access (no effect) Bit 4" : "4468" + "Undefined Access (no effect) Bit 5" : "4469" + "Undefined Access (no effect) Bit 6" : "4470" + "Undefined Access (no effect) Bit 7" : "4471" + "Undefined Access (no effect) Bit 8" : "4472" + "Undefined Access (no effect) Bit 9" : "4473" + "Undefined Access (no effect) Bit 10" : "4474" + "Undefined Access (no effect) Bit 11" : "4475" + "Undefined Access (no effect) Bit 12" : "4476" + "Undefined Access (no effect) Bit 13" : "4477" + "Undefined Access (no effect) Bit 14" : "4478" + "Undefined Access (no effect) Bit 15" : "4479" + "Force process termination" : "4480" + "Create new thread in process" : "4481" + "Set process session ID" : "4482" + "Perform virtual memory operation" : "4483" + "Read from process memory" : "4484" + "Write to process memory" : "4485" + "Duplicate handle into or out of process" : "4486" + "Create a subprocess of process" : "4487" + "Set process quotas" : "4488" + "Set process information" : "4489" + "Query process information" : "4490" + "Set process termination port" : "4491" + "Undefined Access (no effect) Bit 12" : "4492" + "Undefined Access (no effect) Bit 13" : "4493" + "Undefined Access (no effect) Bit 14" : "4494" + "Undefined Access (no effect) Bit 15" : "4495" + "Control profile" : "4496" + "Undefined Access (no effect) Bit 1" : "4497" + "Undefined Access (no effect) Bit 2" : "4498" + "Undefined Access (no effect) Bit 3" : "4499" + "Undefined Access (no effect) Bit 4" : "4500" + "Undefined Access (no effect) Bit 5" : "4501" + "Undefined Access (no effect) Bit 6" : "4502" + "Undefined Access (no effect) Bit 7" : "4503" + "Undefined Access (no effect) Bit 8" : "4504" + "Undefined Access (no effect) Bit 9" : "4505" + "Undefined Access (no effect) Bit 10" : "4506" + "Undefined Access (no effect) Bit 11" : "4507" + "Undefined Access (no effect) Bit 12" : "4508" + "Undefined Access (no effect) Bit 13" : "4509" + "Undefined Access (no effect) Bit 14" : "4510" + "Undefined Access (no effect) Bit 15" : "4511" + "Query section state" : "4512" + "Map section for write" : "4513" + "Map section for read" : "4514" + "Map section for execute" : "4515" + "Extend size" : "4516" + "Undefined Access (no effect) Bit 5" : "4517" + "Undefined Access (no effect) Bit 6" : "4518" + "Undefined Access (no effect) Bit 7" : "4519" + "Undefined Access (no effect) Bit 8" : "4520" + "Undefined Access (no effect) Bit 9" : "4521" + "Undefined Access (no effect) Bit 10" : "4522" + "Undefined Access (no effect) Bit 11" : "4523" + "Undefined Access (no effect) Bit 12" : "4524" + "Undefined Access (no effect) Bit 13" : "4525" + "Undefined Access (no effect) Bit 14" : "4526" + "Undefined Access (no effect) Bit 15" : "4527" + "Query semaphore state" : "4528" + "Modify semaphore state" : "4529" + "Undefined Access (no effect) Bit 2" : "4530" + "Undefined Access (no effect) Bit 3" : "4531" + "Undefined Access (no effect) Bit 4" : "4532" + "Undefined Access (no effect) Bit 5" : "4533" + "Undefined Access (no effect) Bit 6" : "4534" + "Undefined Access (no effect) Bit 7" : "4535" + "Undefined Access (no effect) Bit 8" : "4536" + "Undefined Access (no effect) Bit 9" : "4537" + "Undefined Access (no effect) Bit 10" : "4538" + "Undefined Access (no effect) Bit 11" : "4539" + "Undefined Access (no effect) Bit 12" : "4540" + "Undefined Access (no effect) Bit 13" : "4541" + "Undefined Access (no effect) Bit 14" : "4542" + "Undefined Access (no effect) Bit 15" : "4543" + "Use symbolic link" : "4544" + "Undefined Access (no effect) Bit 1" : "4545" + "Undefined Access (no effect) Bit 2" : "4546" + "Undefined Access (no effect) Bit 3" : "4547" + "Undefined Access (no effect) Bit 4" : "4548" + "Undefined Access (no effect) Bit 5" : "4549" + "Undefined Access (no effect) Bit 6" : "4550" + "Undefined Access (no effect) Bit 7" : "4551" + "Undefined Access (no effect) Bit 8" : "4552" + "Undefined Access (no effect) Bit 9" : "4553" + "Undefined Access (no effect) Bit 10" : "4554" + "Undefined Access (no effect) Bit 11" : "4555" + "Undefined Access (no effect) Bit 12" : "4556" + "Undefined Access (no effect) Bit 13" : "4557" + "Undefined Access (no effect) Bit 14" : "4558" + "Undefined Access (no effect) Bit 15" : "4559" + "Force thread termination" : "4560" + "Suspend or resume thread" : "4561" + "Send an alert to thread" : "4562" + "Get thread context" : "4563" + "Set thread context" : "4564" + "Set thread information" : "4565" + "Query thread information" : "4566" + "Assign a token to the thread" : "4567" + "Cause thread to directly impersonate another thread" : "4568" + "Directly impersonate this thread" : "4569" + "Undefined Access (no effect) Bit 10" : "4570" + "Undefined Access (no effect) Bit 11" : "4571" + "Undefined Access (no effect) Bit 12" : "4572" + "Undefined Access (no effect) Bit 13" : "4573" + "Undefined Access (no effect) Bit 14" : "4574" + "Undefined Access (no effect) Bit 15" : "4575" + "Query timer state" : "4576" + "Modify timer state" : "4577" + "Undefined Access (no effect) Bit 2" : "4578" + "Undefined Access (no effect) Bit 3" : "4579" + "Undefined Access (no effect) Bit 4" : "4580" + "Undefined Access (no effect) Bit 5" : "4581" + "Undefined Access (no effect) Bit 6" : "4582" + "Undefined Access (no effect) Bit 8" : "4584" + "Undefined Access (no effect) Bit 9" : "4585" + "Undefined Access (no effect) Bit 10" : "4586" + "Undefined Access (no effect) Bit 11" : "4587" + "Undefined Access (no effect) Bit 12" : "4588" + "Undefined Access (no effect) Bit 13" : "4589" + "Undefined Access (no effect) Bit 14" : "4590" + "Undefined Access (no effect) Bit 15" : "4591" + "AssignAsPrimary" : "4592" + "Duplicate" : "4593" + "Impersonate" : "4594" + "Query" : "4595" + "QuerySource" : "4596" + "AdjustPrivileges" : "4597" + "AdjustGroups" : "4598" + "AdjustDefaultDacl" : "4599" + "AdjustSessionID" : "4600" + "Undefined Access (no effect) Bit 9" : "4601" + "Undefined Access (no effect) Bit 10" : "4602" + "Undefined Access (no effect) Bit 11" : "4603" + "Undefined Access (no effect) Bit 12" : "4604" + "Undefined Access (no effect) Bit 13" : "4605" + "Undefined Access (no effect) Bit 14" : "4606" + "Undefined Access (no effect) Bit 15" : "4607" + "Create instance of object type" : "4608" + "Undefined Access (no effect) Bit 1" : "4609" + "Undefined Access (no effect) Bit 2" : "4610" + "Undefined Access (no effect) Bit 3" : "4611" + "Undefined Access (no effect) Bit 4" : "4612" + "Undefined Access (no effect) Bit 5" : "4613" + "Undefined Access (no effect) Bit 6" : "4614" + "Undefined Access (no effect) Bit 7" : "4615" + "Undefined Access (no effect) Bit 8" : "4616" + "Undefined Access (no effect) Bit 9" : "4617" + "Undefined Access (no effect) Bit 10" : "4618" + "Undefined Access (no effect) Bit 11" : "4619" + "Undefined Access (no effect) Bit 12" : "4620" + "Undefined Access (no effect) Bit 13" : "4621" + "Undefined Access (no effect) Bit 14" : "4622" + "Undefined Access (no effect) Bit 15" : "4623" + "Query State" : "4864" + "Modify State" : "4865" + "Channel read message" : "5120" + "Channel write message" : "5121" + "Channel query information" : "5122" + "Channel set information" : "5123" + "Undefined Access (no effect) Bit 4" : "5124" + "Undefined Access (no effect) Bit 5" : "5125" + "Undefined Access (no effect) Bit 6" : "5126" + "Undefined Access (no effect) Bit 7" : "5127" + "Undefined Access (no effect) Bit 8" : "5128" + "Undefined Access (no effect) Bit 9" : "5129" + "Undefined Access (no effect) Bit 10" : "5130" + "Undefined Access (no effect) Bit 11" : "5131" + "Undefined Access (no effect) Bit 12" : "5132" + "Undefined Access (no effect) Bit 13" : "5133" + "Undefined Access (no effect) Bit 14" : "5134" + "Undefined Access (no effect) Bit 15" : "5135" + "Assign process" : "5136" + "Set Attributes" : "5137" + "Query Attributes" : "5138" + "Terminate Job" : "5139" + "Set Security Attributes" : "5140" + "Undefined Access (no effect) Bit 5" : "5141" + "Undefined Access (no effect) Bit 6" : "5142" + "Undefined Access (no effect) Bit 7" : "5143" + "Undefined Access (no effect) Bit 8" : "5144" + "Undefined Access (no effect) Bit 9" : "5145" + "Undefined Access (no effect) Bit 10" : "5146" + "Undefined Access (no effect) Bit 11" : "5147" + "Undefined Access (no effect) Bit 12" : "5148" + "Undefined Access (no effect) Bit 13" : "5149" + "Undefined Access (no effect) Bit 14" : "5150" + "Undefined Access (no effect) Bit 15" : "5151" + "ConnectToServer" : "5376" + "ShutdownServer" : "5377" + "InitializeServer" : "5378" + "CreateDomain" : "5379" + "EnumerateDomains" : "5380" + "LookupDomain" : "5381" + "Undefined Access (no effect) Bit 6" : "5382" + "Undefined Access (no effect) Bit 7" : "5383" + "Undefined Access (no effect) Bit 8" : "5384" + "Undefined Access (no effect) Bit 9" : "5385" + "Undefined Access (no effect) Bit 10" : "5386" + "Undefined Access (no effect) Bit 11" : "5387" + "Undefined Access (no effect) Bit 12" : "5388" + "Undefined Access (no effect) Bit 13" : "5389" + "Undefined Access (no effect) Bit 14" : "5390" + "Undefined Access (no effect) Bit 15" : "5391" + "ReadPasswordParameters" : "5392" + "WritePasswordParameters" : "5393" + "ReadOtherParameters" : "5394" + "WriteOtherParameters" : "5395" + "CreateUser" : "5396" + "CreateGlobalGroup" : "5397" + "CreateLocalGroup" : "5398" + "GetLocalGroupMembership" : "5399" + "ListAccounts" : "5400" + "LookupIDs" : "5401" + "AdministerServer" : "5402" + "Undefined Access (no effect) Bit 11" : "5403" + "Undefined Access (no effect) Bit 12" : "5404" + "Undefined Access (no effect) Bit 13" : "5405" + "Undefined Access (no effect) Bit 14" : "5406" + "Undefined Access (no effect) Bit 15" : "5407" + "ReadInformation" : "5408" + "WriteAccount" : "5409" + "AddMember" : "5410" + "RemoveMember" : "5411" + "ListMembers" : "5412" + "Undefined Access (no effect) Bit 5" : "5413" + "Undefined Access (no effect) Bit 6" : "5414" + "Undefined Access (no effect) Bit 7" : "5415" + "Undefined Access (no effect) Bit 8" : "5416" + "Undefined Access (no effect) Bit 9" : "5417" + "Undefined Access (no effect) Bit 10" : "5418" + "Undefined Access (no effect) Bit 11" : "5419" + "Undefined Access (no effect) Bit 12" : "5420" + "Undefined Access (no effect) Bit 13" : "5421" + "Undefined Access (no effect) Bit 14" : "5422" + "Undefined Access (no effect) Bit 15" : "5423" + "AddMember" : "5424" + "RemoveMember" : "5425" + "ListMembers" : "5426" + "ReadInformation" : "5427" + "WriteAccount" : "5428" + "Undefined Access (no effect) Bit 5" : "5429" + "Undefined Access (no effect) Bit 6" : "5430" + "Undefined Access (no effect) Bit 7" : "5431" + "Undefined Access (no effect) Bit 8" : "5432" + "Undefined Access (no effect) Bit 9" : "5433" + "Undefined Access (no effect) Bit 10" : "5434" + "Undefined Access (no effect) Bit 11" : "5435" + "Undefined Access (no effect) Bit 12" : "5436" + "Undefined Access (no effect) Bit 13" : "5437" + "Undefined Access (no effect) Bit 14" : "5438" + "Undefined Access (no effect) Bit 15" : "5439" + "ReadGeneralInformation" : "5440" + "ReadPreferences" : "5441" + "WritePreferences" : "5442" + "ReadLogon" : "5443" + "ReadAccount" : "5444" + "WriteAccount" : "5445" + "ChangePassword (with knowledge of old password)" : "5446" + "SetPassword (without knowledge of old password)" : "5447" + "ListGroups" : "5448" + "ReadGroupMembership" : "5449" + "ChangeGroupMembership" : "5450" + "Undefined Access (no effect) Bit 11" : "5451" + "Undefined Access (no effect) Bit 12" : "5452" + "Undefined Access (no effect) Bit 13" : "5453" + "Undefined Access (no effect) Bit 14" : "5454" + "Undefined Access (no effect) Bit 15" : "5455" + "View non-sensitive policy information" : "5632" + "View system audit requirements" : "5633" + "Get sensitive policy information" : "5634" + "Modify domain trust relationships" : "5635" + "Create special accounts (for assignment of user rights)" : "5636" + "Create a secret object" : "5637" + "Create a privilege" : "5638" + "Set default quota limits" : "5639" + "Change system audit requirements" : "5640" + "Administer audit log attributes" : "5641" + "Enable/Disable LSA" : "5642" + "Lookup Names/SIDs" : "5643" + "Change secret value" : "5648" + "Query secret value" : "5649" + "Undefined Access (no effect) Bit 2" : "5650" + "Undefined Access (no effect) Bit 3" : "5651" + "Undefined Access (no effect) Bit 4" : "5652" + "Undefined Access (no effect) Bit 5" : "5653" + "Undefined Access (no effect) Bit 6" : "5654" + "Undefined Access (no effect) Bit 7" : "5655" + "Undefined Access (no effect) Bit 8" : "5656" + "Undefined Access (no effect) Bit 9" : "5657" + "Undefined Access (no effect) Bit 10" : "5658" + "Undefined Access (no effect) Bit 11" : "5659" + "Undefined Access (no effect) Bit 12" : "5660" + "Undefined Access (no effect) Bit 13" : "5661" + "Undefined Access (no effect) Bit 14" : "5662" + "Undefined Access (no effect) Bit 15" : "5663" + "Query trusted domain name/SID" : "5664" + "Retrieve the controllers in the trusted domain" : "5665" + "Change the controllers in the trusted domain" : "5666" + "Query the Posix ID offset assigned to the trusted domain" : "5667" + "Change the Posix ID offset assigned to the trusted domain" : "5668" + "Undefined Access (no effect) Bit 5" : "5669" + "Undefined Access (no effect) Bit 6" : "5670" + "Undefined Access (no effect) Bit 7" : "5671" + "Undefined Access (no effect) Bit 8" : "5672" + "Undefined Access (no effect) Bit 9" : "5673" + "Undefined Access (no effect) Bit 10" : "5674" + "Undefined Access (no effect) Bit 11" : "5675" + "Undefined Access (no effect) Bit 12" : "5676" + "Undefined Access (no effect) Bit 13" : "5677" + "Undefined Access (no effect) Bit 14" : "5678" + "Undefined Access (no effect) Bit 15" : "5679" + "Query account information" : "5680" + "Change privileges assigned to account" : "5681" + "Change quotas assigned to account" : "5682" + "Change logon capabilities assigned to account" : "5683" + "Change the Posix ID offset assigned to the accounted domain" : "5684" + "Undefined Access (no effect) Bit 5" : "5685" + "Undefined Access (no effect) Bit 6" : "5686" + "Undefined Access (no effect) Bit 7" : "5687" + "Undefined Access (no effect) Bit 8" : "5688" + "Undefined Access (no effect) Bit 9" : "5689" + "Undefined Access (no effect) Bit 10" : "5690" + "Undefined Access (no effect) Bit 11" : "5691" + "Undefined Access (no effect) Bit 12" : "5692" + "Undefined Access (no effect) Bit 13" : "5693" + "Undefined Access (no effect) Bit 14" : "5694" + "Undefined Access (no effect) Bit 15" : "5695" + "KeyedEvent Wait" : "5696" + "KeyedEvent Wake" : "5697" + "Undefined Access (no effect) Bit 2" : "5698" + "Undefined Access (no effect) Bit 3" : "5699" + "Undefined Access (no effect) Bit 4" : "5700" + "Undefined Access (no effect) Bit 5" : "5701" + "Undefined Access (no effect) Bit 6" : "5702" + "Undefined Access (no effect) Bit 7" : "5703" + "Undefined Access (no effect) Bit 8" : "5704" + "Undefined Access (no effect) Bit 9" : "5705" + "Undefined Access (no effect) Bit 10" : "5706" + "Undefined Access (no effect) Bit 11" : "5707" + "Undefined Access (no effect) Bit 12" : "5708" + "Undefined Access (no effect) Bit 13" : "5709" + "Undefined Access (no effect) Bit 14" : "5710" + "Undefined Access (no effect) Bit 15" : "5711" + "Enumerate desktops" : "6656" + "Read attributes" : "6657" + "Access Clipboard" : "6658" + "Create desktop" : "6659" + "Write attributes" : "6660" + "Access global atoms" : "6661" + "Exit windows" : "6662" + "Unused Access Flag" : "6663" + "Include this windowstation in enumerations" : "6664" + "Read screen" : "6665" + "Read Objects" : "6672" + "Create window" : "6673" + "Create menu" : "6674" + "Hook control" : "6675" + "Journal (record)" : "6676" + "Journal (playback)" : "6677" + "Include this desktop in enumerations" : "6678" + "Write objects" : "6679" + "Switch to this desktop" : "6680" + "Administer print server" : "6912" + "Enumerate printers" : "6913" + "Full Control" : "6930" + "Print" : "6931" + "Administer Document" : "6948" + "Connect to service controller" : "7168" + "Create a new service" : "7169" + "Enumerate services" : "7170" + "Lock service database for exclusive access" : "7171" + "Query service database lock state" : "7172" + "Set last-known-good state of service database" : "7173" + "Query service configuration information" : "7184" + "Set service configuration information" : "7185" + "Query status of service" : "7186" + "Enumerate dependencies of service" : "7187" + "Start the service" : "7188" + "Stop the service" : "7189" + "Pause or continue the service" : "7190" + "Query information from service" : "7191" + "Issue service-specific control commands" : "7192" + "DDE Share Read" : "7424" + "DDE Share Write" : "7425" + "DDE Share Initiate Static" : "7426" + "DDE Share Initiate Link" : "7427" + "DDE Share Request" : "7428" + "DDE Share Advise" : "7429" + "DDE Share Poke" : "7430" + "DDE Share Execute" : "7431" + "DDE Share Add Items" : "7432" + "DDE Share List Items" : "7433" + "Create Child" : "7680" + "Delete Child" : "7681" + "List Contents" : "7682" + "Write Self" : "7683" + "Read Property" : "7684" + "Write Property" : "7685" + "Delete Tree" : "7686" + "List Object" : "7687" + "Control Access" : "7688" + "Undefined Access (no effect) Bit 9" : "7689" + "Undefined Access (no effect) Bit 10" : "7690" + "Undefined Access (no effect) Bit 11" : "7691" + "Undefined Access (no effect) Bit 12" : "7692" + "Undefined Access (no effect) Bit 13" : "7693" + "Undefined Access (no effect) Bit 14" : "7694" + "Undefined Access (no effect) Bit 15" : "7695" + "Audit Set System Policy" : "7936" + "Audit Query System Policy" : "7937" + "Audit Set Per User Policy" : "7938" + "Audit Query Per User Policy" : "7939" + "Audit Enumerate Users" : "7940" + "Audit Set Options" : "7941" + "Audit Query Options" : "7942" + "Port sharing (read)" : "8064" + "Port sharing (write)" : "8065" + "Default credentials" : "8096" + "Credentials manager" : "8097" + "Fresh credentials" : "8098" + "Kerberos" : "8192" + "Preshared key" : "8193" + "Unknown authentication" : "8194" + "DES" : "8195" + "3DES" : "8196" + "MD5" : "8197" + "SHA1" : "8198" + "Local computer" : "8199" + "Remote computer" : "8200" + "No state" : "8201" + "Sent first (SA) payload" : "8202" + "Sent second (KE) payload" : "8203" + "Sent third (ID) payload" : "8204" + "Initiator" : "8205" + "Responder" : "8206" + "No state" : "8207" + "Sent first (SA) payload" : "8208" + "Sent final payload" : "8209" + "Complete" : "8210" + "Unknown" : "8211" + "Transport" : "8212" + "Tunnel" : "8213" + "IKE/AuthIP DoS prevention mode started" : "8214" + "IKE/AuthIP DoS prevention mode stopped" : "8215" + "Enabled" : "8216" + "Not enabled" : "8217" + "No state" : "8218" + "Sent first (EM attributes) payload" : "8219" + "Sent second (SSPI) payload" : "8220" + "Sent third (hash) payload" : "8221" + "IKEv1" : "8222" + "AuthIP" : "8223" + "Anonymous" : "8224" + "NTLM V2" : "8225" + "CGA" : "8226" + "Certificate" : "8227" + "SSL" : "8228" + "None" : "8229" + "DH group 1" : "8230" + "DH group 2" : "8231" + "DH group 14" : "8232" + "DH group ECP 256" : "8233" + "DH group ECP 384" : "8234" + "AES-128" : "8235" + "AES-192" : "8236" + "AES-256" : "8237" + "Certificate ECDSA P256" : "8238" + "Certificate ECDSA P384" : "8239" + "SSL ECDSA P256" : "8240" + "SSL ECDSA P384" : "8241" + "SHA 256" : "8242" + "SHA 384" : "8243" + "IKEv2" : "8244" + "EAP payload sent" : "8245" + "Authentication payload sent" : "8246" + "EAP" : "8247" + "DH group 24" : "8248" + "System" : "8272" + "Logon/Logoff" : "8273" + "Object Access" : "8274" + "Privilege Use" : "8275" + "Detailed Tracking" : "8276" + "Policy Change" : "8277" + "Account Management" : "8278" + "DS Access" : "8279" + "Account Logon" : "8280" + "Success removed" : "8448" + "Success Added" : "8449" + "Failure removed" : "8450" + "Failure Added" : "8451" + "Success include removed" : "8452" + "Success include added" : "8453" + "Success exclude removed" : "8454" + "Success exclude added" : "8455" + "Failure include removed" : "8456" + "Failure include added" : "8457" + "Failure exclude removed" : "8458" + "Failure exclude added" : "8459" + "Security State Change" : "12288" + "Security System Extension" : "12289" + "System Integrity" : "12290" + "IPsec Driver" : "12291" + "Other System Events" : "12292" + "Logon" : "12544" + "Logoff" : "12545" + "Account Lockout" : "12546" + "IPsec Main Mode" : "12547" + "Special Logon" : "12548" + "IPsec Quick Mode" : "12549" + "IPsec Extended Mode" : "12550" + "Other Logon/Logoff Events" : "12551" + "Network Policy Server" : "12552" + "User / Device Claims" : "12553" + "Group Membership" : "12554" + "File System" : "12800" + "Registry" : "12801" + "Kernel Object" : "12802" + "SAM" : "12803" + "Other Object Access Events" : "12804" + "Certification Services" : "12805" + "Application Generated" : "12806" + "Handle Manipulation" : "12807" + "File Share" : "12808" + "Filtering Platform Packet Drop" : "12809" + "Filtering Platform Connection" : "12810" + "Detailed File Share" : "12811" + "Removable Storage" : "12812" + "Central Policy Staging" : "12813" + "Sensitive Privilege Use" : "13056" + "Non Sensitive Privilege Use" : "13057" + "Other Privilege Use Events" : "13058" + "Process Creation" : "13312" + "Process Termination" : "13313" + "DPAPI Activity" : "13314" + "RPC Events" : "13315" + "Plug and Play Events" : "13316" + "Token Right Adjusted Events" : "13317" + "Audit Policy Change" : "13568" + "Authentication Policy Change" : "13569" + "Authorization Policy Change" : "13570" + "MPSSVC Rule-Level Policy Change" : "13571" + "Filtering Platform Policy Change" : "13572" + "Other Policy Change Events" : "13573" + "User Account Management" : "13824" + "Computer Account Management" : "13825" + "Security Group Management" : "13826" + "Distribution Group Management" : "13827" + "Application Group Management" : "13828" + "Other Account Management Events" : "13829" + "Directory Service Access" : "14080" + "Directory Service Changes" : "14081" + "Directory Service Replication" : "14082" + "Detailed Directory Service Replication" : "14083" + "Credential Validation" : "14336" + "Kerberos Service Ticket Operations" : "14337" + "Other Account Logon Events" : "14338" + "Kerberos Authentication Service" : "14339" + "Inbound" : "14592" + "Outbound" : "14593" + "Forward" : "14594" + "Bidirectional" : "14595" + "IP Packet" : "14596" + "Transport" : "14597" + "Forward" : "14598" + "Stream" : "14599" + "Datagram Data" : "14600" + "ICMP Error" : "14601" + "MAC 802.3" : "14602" + "MAC Native" : "14603" + "vSwitch" : "14604" + "Resource Assignment" : "14608" + "Listen" : "14609" + "Receive/Accept" : "14610" + "Connect" : "14611" + "Flow Established" : "14612" + "Resource Release" : "14614" + "Endpoint Closure" : "14615" + "Connect Redirect" : "14616" + "Bind Redirect" : "14617" + "Stream Packet" : "14624" + "ICMP Echo-Request" : "14640" + "vSwitch Ingress" : "14641" + "vSwitch Egress" : "14642" + "" : "14672" + "[NULL]" : "14673" + "Value Added" : "14674" + "Value Deleted" : "14675" + "Active Directory Domain Services" : "14676" + "Active Directory Lightweight Directory Services" : "14677" + "Yes" : "14678" + "No" : "14679" + "Value Added With Expiration Time" : "14680" + "Value Deleted With Expiration Time" : "14681" + "Value Auto Deleted With Expiration Time" : "14688" + "Add" : "16384" + "Delete" : "16385" + "Boot-time" : "16386" + "Persistent" : "16387" + "Not persistent" : "16388" + "Block" : "16389" + "Permit" : "16390" + "Callout" : "16391" + "MD5" : "16392" + "SHA-1" : "16393" + "SHA-256" : "16394" + "AES-GCM 128" : "16395" + "AES-GCM 192" : "16396" + "AES-GCM 256" : "16397" + "DES" : "16398" + "3DES" : "16399" + "AES-128" : "16400" + "AES-192" : "16401" + "AES-256" : "16402" + "Transport" : "16403" + "Tunnel" : "16404" + "Responder" : "16405" + "Initiator" : "16406" + "AES-GMAC 128" : "16407" + "AES-GMAC 192" : "16408" + "AES-GMAC 256" : "16409" + "AuthNoEncap Transport" : "16416" + "Enable WMI Account" : "16896" + "Execute Method" : "16897" + "Full Write" : "16898" + "Partial Write" : "16899" + "Provider Write" : "16900" + "Remote Access" : "16901" + "Subscribe" : "16902" + "Publish" : "16903" AccessMaskDescriptions: "0x00000001": Create Child "0x00000002": Delete Child @@ -2164,7 +3135,11 @@ processors: if (ctx?.winlog?.event_data?.FailureReason != null) { def code = ctx.winlog.event_data.FailureReason.replace("%%",""); - if (params.descriptions.containsKey(code)) { + def desc = params.descriptions[code]; + if (desc == null) { + desc = code; + } + if (desc != null) { if (ctx?.winlog?.logon == null ) { HashMap hm = new HashMap(); ctx.winlog.put("logon", hm); @@ -2173,7 +3148,7 @@ processors: HashMap hm = new HashMap(); ctx.winlog.logon.put("failure", hm); } - ctx.winlog.logon.failure.put("reason", params.descriptions[code]); + ctx.winlog.logon.failure.put("reason", desc); } } if (ctx?.winlog?.event_data?.AuditPolicyChanges != null) { @@ -2182,6 +3157,8 @@ processors: def code = elem.replace("%%","").trim(); if (params.descriptions.containsKey(code)) { results.add(params.descriptions[code]); + } else { + results.add(code); } } if (results.length > 0) { @@ -2194,6 +3171,8 @@ processors: def code = elem.replace("%%","").trim(); if (params.descriptions.containsKey(code)) { results.add(params.descriptions[code]); + } else { + results.add(code); } } if (results.length > 0) { @@ -2207,9 +3186,17 @@ processors: if (elem.length() == 0) { continue; } - list.add(elem); def code = elem.replace("%%","").trim(); - accessMask |= Long.decode(code).longValue(); + if (params.descriptions.containsKey(code)) { + list.add(params.descriptions[code]); + } else { + list.add(code); + code = params.reversed_descriptions[code]; + } + try { + def longCode = Long.decode(code).longValue(); + accessMask |= longCode; + } catch (Exception e) {} } if (list.length > 0) { ctx.winlog.event_data.put("AccessMask", list); From 18c4d33fa01b1c99e85ccf609deefc4ae0656c25 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 15 Jan 2025 11:08:30 +0100 Subject: [PATCH 14/20] Regenerate ingest golden files --- .../test/testdata/ingest/400.golden.json | 40 +- .../test/testdata/ingest/403.golden.json | 40 +- .../test/testdata/ingest/4103.golden.json | 26 +- .../test/testdata/ingest/4104.golden.json | 26 +- .../test/testdata/ingest/4105.golden.json | 13 +- .../test/testdata/ingest/4106.golden.json | 13 +- .../test/testdata/ingest/600.golden.json | 30 +- .../test/testdata/ingest/800.golden.json | 40 +- .../test/testdata/ingest/1100.golden.json | 3 +- .../test/testdata/ingest/1102.golden.json | 5 +- .../test/testdata/ingest/1104.golden.json | 3 +- .../test/testdata/ingest/1105.golden.json | 3 +- .../ingest/4670_WindowsSrv2016.golden.json | 5 +- .../ingest/4706_WindowsSrv2016.golden.json | 9 +- .../ingest/4707_WindowsSrv2016.golden.json | 5 +- .../ingest/4713_WindowsSrv2016.golden.json | 7 +- .../ingest/4716_WindowsSrv2016.golden.json | 7 +- .../ingest/4717_WindowsSrv2016.golden.json | 7 +- .../ingest/4718_WindowsSrv2016.golden.json | 7 +- .../test/testdata/ingest/4719.golden.json | 17 +- .../ingest/4719_WindowsSrv2016.golden.json | 15 +- .../ingest/4739_WindowsSrv2016.golden.json | 5 +- .../test/testdata/ingest/4741.golden.json | 17 +- .../test/testdata/ingest/4742.golden.json | 7 +- .../test/testdata/ingest/4743.golden.json | 5 +- .../test/testdata/ingest/4744.golden.json | 5 +- .../test/testdata/ingest/4745.golden.json | 5 +- .../test/testdata/ingest/4746.golden.json | 5 +- .../test/testdata/ingest/4747.golden.json | 5 +- .../test/testdata/ingest/4748.golden.json | 5 +- .../test/testdata/ingest/4749.golden.json | 5 +- .../test/testdata/ingest/4750.golden.json | 5 +- .../test/testdata/ingest/4751.golden.json | 5 +- .../test/testdata/ingest/4752.golden.json | 5 +- .../test/testdata/ingest/4753.golden.json | 5 +- .../test/testdata/ingest/4759.golden.json | 5 +- .../test/testdata/ingest/4760.golden.json | 5 +- .../test/testdata/ingest/4761.golden.json | 5 +- .../test/testdata/ingest/4762.golden.json | 5 +- .../test/testdata/ingest/4763.golden.json | 5 +- .../ingest/4817_WindowsSrv2016.golden.json | 7 +- .../ingest/4902_WindowsSrv2016.golden.json | 5 +- .../ingest/4904_WindowsSrv2016.golden.json | 7 +- .../ingest/4905_WindowsSrv2016.golden.json | 7 +- .../ingest/4906_WindowsSrv2016.golden.json | 3 +- .../ingest/4907_WindowsSrv2016.golden.json | 5 +- .../ingest/4908_WindowsSrv2016.golden.json | 3 +- .../security-windows2012_4673.golden.json | 5 +- .../security-windows2012_4674.golden.json | 9 +- .../security-windows2012_4697.golden.json | 7 +- .../security-windows2012_4698.golden.json | 5 +- .../security-windows2012_4699.golden.json | 5 +- .../security-windows2012_4700.golden.json | 5 +- .../security-windows2012_4701.golden.json | 5 +- .../security-windows2012_4702.golden.json | 5 +- .../security-windows2012_4768.golden.json | 3 +- .../security-windows2012_4769.golden.json | 7 +- .../security-windows2012_4770.golden.json | 3 +- .../security-windows2012_4771.golden.json | 3 +- .../security-windows2012_4776.golden.json | 3 +- .../security-windows2012_4778.golden.json | 5 +- .../security-windows2012_4779.golden.json | 5 +- .../security-windows2012r2-logon.golden.json | 126 +- .../security-windows2016-4672.golden.json | 7 +- .../security-windows2016-logoff.golden.json | 10 +- ...ndows2016_4720_Account_Created.golden.json | 66 +- ...ndows2016_4722_Account_Enabled.golden.json | 14 +- ...ndows2016_4723_Password_Change.golden.json | 14 +- ...indows2016_4724_Password_Reset.golden.json | 14 +- ...dows2016_4725_Account_Disabled.golden.json | 14 +- ...ndows2016_4726_Account_Deleted.golden.json | 14 +- .../security-windows2016_4727.golden.json | 3 +- .../security-windows2016_4728.golden.json | 5 +- .../security-windows2016_4729.golden.json | 5 +- .../security-windows2016_4730.golden.json | 5 +- .../security-windows2016_4731.golden.json | 5 +- .../security-windows2016_4732.golden.json | 5 +- .../security-windows2016_4733.golden.json | 5 +- .../security-windows2016_4734.golden.json | 5 +- .../security-windows2016_4735.golden.json | 5 +- .../security-windows2016_4737.golden.json | 5 +- ...ndows2016_4738_Account_Changed.golden.json | 48 +- ...ws2016_4740_Account_Locked_Out.golden.json | 7 +- .../security-windows2016_4754.golden.json | 5 +- .../security-windows2016_4755.golden.json | 5 +- .../security-windows2016_4756.golden.json | 5 +- .../security-windows2016_4757.golden.json | 5 +- .../security-windows2016_4758.golden.json | 5 +- .../security-windows2016_4764.golden.json | 5 +- ...dows2016_4767_Account_Unlocked.golden.json | 7 +- ...ndows2016_4781_Account_Renamed.golden.json | 14 +- .../security-windows2016_4798.golden.json | 7 +- .../security-windows2016_4799.golden.json | 7 +- .../security-windows2016_4964.golden.json | 18 +- ...ndows2019_4688_Process_Created.golden.json | 7 +- ...indows2019_4689_Process_Exited.golden.json | 15 +- .../ingest/sysmon-10.2-dns.golden.json | 1248 ++++++++++------- .../ingest/sysmon-11-filedelete.golden.json | 24 +- .../sysmon-11-filedeletedetected.golden.json | 16 +- .../ingest/sysmon-11-registry.golden.json | 40 +- .../ingest/sysmon-12-loadimage.golden.json | 8 +- .../sysmon-12-processcreate.golden.json | 12 +- .../sysmon-13-clipboardchange.golden.json | 8 +- .../sysmon-13-processtampering.golden.json | 12 +- .../testdata/ingest/sysmon-9.01.golden.json | 264 ++-- x-pack/winlogbeat/module/testing.go | 2 +- 106 files changed, 1500 insertions(+), 1163 deletions(-) diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json index e6860bdb9a06..67d0989f4a11 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json @@ -8,7 +8,7 @@ "action": "Engine Lifecycle", "category": "process", "code": "400", - "ingested": "2022-06-08T06:07:25.791038Z", + "ingested": "2025-01-15T10:02:22.041691914Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -16,7 +16,11 @@ "type": "start" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -44,14 +48,12 @@ "title": "ServerRemoteHost" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "400", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "1492", "task": "Engine Lifecycle" @@ -66,7 +68,7 @@ "action": "Engine Lifecycle", "category": "process", "code": "400", - "ingested": "2022-06-08T06:07:25.791068400Z", + "ingested": "2025-01-15T10:02:22.042381068Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -74,7 +76,11 @@ "type": "start" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -104,14 +110,12 @@ "title": "ConsoleHost" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "400", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "1511", "task": "Engine Lifecycle" @@ -126,7 +130,7 @@ "action": "Engine Lifecycle", "category": "process", "code": "400", - "ingested": "2022-06-08T06:07:25.791084400Z", + "ingested": "2025-01-15T10:02:22.042395560Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -134,7 +138,11 @@ "type": "start" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -162,14 +170,12 @@ "title": "Windows PowerShell ISE Host" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "400", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "1579", "task": "Engine Lifecycle" @@ -184,7 +190,7 @@ "action": "Engine Lifecycle", "category": "process", "code": "400", - "ingested": "2022-06-08T06:07:25.791099600Z", + "ingested": "2025-01-15T10:02:22.042402302Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -192,7 +198,11 @@ "type": "start" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -214,14 +224,12 @@ "title": "ConsoleHost" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "400", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "18591", "task": "Engine Lifecycle" diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json index 5c04bdf9c293..e23c6b81a3f8 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json @@ -8,7 +8,7 @@ "action": "Engine Lifecycle", "category": "process", "code": "403", - "ingested": "2022-06-08T06:07:25.874127300Z", + "ingested": "2025-01-15T10:02:22.075700098Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -16,7 +16,11 @@ "type": "end" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -43,14 +47,12 @@ "title": "Windows PowerShell ISE Host" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "403", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "1687", "task": "Engine Lifecycle" @@ -65,7 +67,7 @@ "action": "Engine Lifecycle", "category": "process", "code": "403", - "ingested": "2022-06-08T06:07:25.874167200Z", + "ingested": "2025-01-15T10:02:22.075721610Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -73,7 +75,11 @@ "type": "end" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -101,14 +107,12 @@ "title": "ServerRemoteHost" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "403", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "1706", "task": "Engine Lifecycle" @@ -123,7 +127,7 @@ "action": "Engine Lifecycle", "category": "process", "code": "403", - "ingested": "2022-06-08T06:07:25.874176600Z", + "ingested": "2025-01-15T10:02:22.075728323Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -131,7 +135,11 @@ "type": "end" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -166,14 +174,12 @@ "title": "ConsoleHost" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "403", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "1766", "task": "Engine Lifecycle" @@ -188,7 +194,7 @@ "action": "Engine Lifecycle", "category": "process", "code": "403", - "ingested": "2022-06-08T06:07:25.874238900Z", + "ingested": "2025-01-15T10:02:22.075733622Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -196,7 +202,11 @@ "type": "end" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -218,14 +228,12 @@ "title": "ConsoleHost" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "403", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "18592", "task": "Engine Lifecycle" diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json index 2497de593916..1e270875d3a6 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json @@ -14,7 +14,7 @@ "action": "Executing Pipeline", "category": "process", "code": "4103", - "ingested": "2022-06-08T06:07:25.896041700Z", + "ingested": "2025-01-15T10:02:22.083664757Z", "kind": "event", "module": "powershell", "provider": "Microsoft-Windows-PowerShell", @@ -22,7 +22,11 @@ "type": "info" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -89,8 +93,7 @@ "name": "vagrant" }, "winlog": { - "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", - "api": "wineventlog", + "activity_id": "{1ACA0717-2ACB-0002-C208-CA1ACB2AD601}", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", "event_id": "4103", @@ -101,7 +104,7 @@ "id": 3616 } }, - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "provider_name": "Microsoft-Windows-PowerShell", "record_id": "3885", "task": "Executing Pipeline", @@ -120,7 +123,7 @@ "action": "Executing Pipeline", "category": "process", "code": "4103", - "ingested": "2022-06-08T06:07:25.896068100Z", + "ingested": "2025-01-15T10:02:22.083688734Z", "kind": "event", "module": "powershell", "provider": "Microsoft-Windows-PowerShell", @@ -128,7 +131,11 @@ "type": "info" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -215,8 +222,7 @@ "name": "vagrant" }, "winlog": { - "activity_id": "{1aca0717-2acb-0003-db0b-ca1acb2ad601}", - "api": "wineventlog", + "activity_id": "{1ACA0717-2ACB-0003-DB0B-CA1ACB2AD601}", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", "event_id": "4103", @@ -227,7 +233,7 @@ "id": 4160 } }, - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "provider_name": "Microsoft-Windows-PowerShell", "record_id": "3917", "task": "Executing Pipeline", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4104.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4104.golden.json index 86d384caace8..874b034919c2 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4104.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4104.golden.json @@ -8,14 +8,18 @@ "action": "Execute a Remote Command", "category": "process", "code": "4104", - "ingested": "2022-06-08T06:07:25.944364800Z", + "ingested": "2025-01-15T10:02:22.104487839Z", "kind": "event", "module": "powershell", "provider": "Microsoft-Windows-PowerShell", "type": "info" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "verbose" @@ -33,8 +37,7 @@ "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" }, "winlog": { - "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", - "api": "wineventlog", + "activity_id": "{FB13C9DE-29F7-0001-18E0-13FBF729D601}", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", "event_id": "4104", @@ -45,7 +48,7 @@ "id": 4428 } }, - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "provider_name": "Microsoft-Windows-PowerShell", "record_id": "3580", "task": "Execute a Remote Command", @@ -64,7 +67,7 @@ "action": "Execute a Remote Command", "category": "process", "code": "4104", - "ingested": "2022-06-08T06:07:25.944391600Z", + "ingested": "2025-01-15T10:02:22.104615177Z", "kind": "event", "module": "powershell", "provider": "Microsoft-Windows-PowerShell", @@ -77,7 +80,11 @@ "path": "C:\\Users\\vagrant\\Desktop\\patata.ps1" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "verbose" @@ -94,8 +101,7 @@ "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" }, "winlog": { - "activity_id": "{fb13c9de-29f7-0000-79db-13fbf729d601}", - "api": "wineventlog", + "activity_id": "{FB13C9DE-29F7-0000-79DB-13FBF729D601}", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", "event_id": "4104", @@ -106,7 +112,7 @@ "id": 4428 } }, - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "provider_name": "Microsoft-Windows-PowerShell", "record_id": "3582", "task": "Execute a Remote Command", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4105.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4105.golden.json index 15e6d136a609..79f97e6e9e5d 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4105.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4105.golden.json @@ -8,14 +8,18 @@ "action": "Starting Command", "category": "process", "code": "4105", - "ingested": "2022-06-08T06:07:25.962029500Z", + "ingested": "2025-01-15T10:02:22.112704225Z", "kind": "event", "module": "powershell", "provider": "Microsoft-Windows-PowerShell", "type": "start" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "verbose" @@ -31,8 +35,7 @@ "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" }, "winlog": { - "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", - "api": "wineventlog", + "activity_id": "{DD68516A-2930-0000-5962-68DD3029D601}", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", "event_id": "4105", @@ -43,7 +46,7 @@ "id": 1476 } }, - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "provider_name": "Microsoft-Windows-PowerShell", "record_id": "790", "task": "Starting Command", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4106.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4106.golden.json index 791fe2892351..e69df74ff289 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4106.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/4106.golden.json @@ -8,14 +8,18 @@ "action": "Stopping Command", "category": "process", "code": "4106", - "ingested": "2022-06-08T06:07:25.970830900Z", + "ingested": "2025-01-15T10:02:22.116886398Z", "kind": "event", "module": "powershell", "provider": "Microsoft-Windows-PowerShell", "type": "end" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "verbose" @@ -31,8 +35,7 @@ "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" }, "winlog": { - "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", - "api": "wineventlog", + "activity_id": "{E3200B8A-290E-0002-332A-20E30E29D601}", "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", "event_id": "4106", @@ -43,7 +46,7 @@ "id": 5092 } }, - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_guid": "{A0C1853B-5C40-4B15-8766-3CF1C58F985A}", "provider_name": "Microsoft-Windows-PowerShell", "record_id": "933", "task": "Stopping Command", diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/600.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/600.golden.json index 5c5603ad84dc..7df9047f6051 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/600.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/600.golden.json @@ -8,7 +8,7 @@ "action": "Provider Lifecycle", "category": "process", "code": "600", - "ingested": "2022-06-08T06:07:25.978294200Z", + "ingested": "2025-01-15T10:02:22.120659443Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -16,7 +16,11 @@ "type": "info" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -47,14 +51,12 @@ "title": "Windows PowerShell ISE Host" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "600", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "1089", "task": "Provider Lifecycle" @@ -69,7 +71,7 @@ "action": "Provider Lifecycle", "category": "process", "code": "600", - "ingested": "2022-06-08T06:07:25.978319400Z", + "ingested": "2025-01-15T10:02:22.120717968Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -77,7 +79,11 @@ "type": "info" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -105,14 +111,12 @@ "title": "ConsoleHost" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "600", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "1266", "task": "Provider Lifecycle" @@ -127,7 +131,7 @@ "action": "Provider Lifecycle", "category": "process", "code": "600", - "ingested": "2022-06-08T06:07:25.978335600Z", + "ingested": "2025-01-15T10:02:22.120732760Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -135,7 +139,11 @@ "type": "info" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -155,14 +163,12 @@ "title": "ConsoleHost" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "600", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "18640", "task": "Provider Lifecycle" diff --git a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/800.golden.json b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/800.golden.json index b3c502fd4653..9c7e27e1d946 100644 --- a/x-pack/winlogbeat/module/powershell/test/testdata/ingest/800.golden.json +++ b/x-pack/winlogbeat/module/powershell/test/testdata/ingest/800.golden.json @@ -8,7 +8,7 @@ "action": "Pipeline Execution Details", "category": "process", "code": "800", - "ingested": "2022-06-08T06:07:25.991754100Z", + "ingested": "2025-01-15T10:02:22.127700838Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -22,7 +22,11 @@ "path": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1" }, "host": { - "name": "vagrant-2019" + "name": "vagrant-2019", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -91,14 +95,12 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant-2019", "event_id": "800", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "191", "task": "Pipeline Execution Details" @@ -113,7 +115,7 @@ "action": "Pipeline Execution Details", "category": "process", "code": "800", - "ingested": "2022-06-08T06:07:25.991821100Z", + "ingested": "2025-01-15T10:02:22.127748302Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -121,7 +123,11 @@ "type": "info" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -177,14 +183,12 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "800", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "1843", "task": "Pipeline Execution Details" @@ -199,7 +203,7 @@ "action": "Pipeline Execution Details", "category": "process", "code": "800", - "ingested": "2022-06-08T06:07:25.991832300Z", + "ingested": "2025-01-15T10:02:22.127760188Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -207,7 +211,11 @@ "type": "info" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -274,14 +282,12 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "800", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "1846", "task": "Pipeline Execution Details" @@ -296,7 +302,7 @@ "action": "Pipeline Execution Details", "category": "process", "code": "800", - "ingested": "2022-06-08T06:07:25.991841100Z", + "ingested": "2025-01-15T10:02:22.127766919Z", "kind": "event", "module": "powershell", "provider": "PowerShell", @@ -304,7 +310,11 @@ "type": "info" }, "host": { - "name": "vagrant" + "name": "vagrant", + "os": { + "family": "windows", + "type": "windows" + } }, "log": { "level": "information" @@ -359,14 +369,12 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Windows PowerShell", "computer_name": "vagrant", "event_id": "800", "keywords": [ "Classic" ], - "opcode": "Info", "provider_name": "PowerShell", "record_id": "1847", "task": "Pipeline Execution Details" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json index 0e6fdfaa198b..547964c9fbff 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json @@ -26,7 +26,6 @@ }, "message": "The event logging service has shut down.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_id": "1100", @@ -40,7 +39,7 @@ "id": 4532 } }, - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_guid": "{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}", "provider_name": "Microsoft-Windows-Eventlog", "record_id": "14257", "task": "Service shutdown" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json index f25bf0530d41..5da9e28c4fb1 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "The audit log was cleared.\nSubject:\n\tSecurity ID:\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\tAdministrator\n\tDomain Name:\tWLBEAT\n\tLogon ID:\t0x50E87", + "message": "The audit log was cleared.\nSubject:\n\tSecurity ID:\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\tAdministrator\n\tDomain Name:\tWLBEAT\n\tLogon ID:\t0x50e87", "related": { "user": [ "Administrator" @@ -37,7 +37,6 @@ "name": "Administrator" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_id": "1102", @@ -54,7 +53,7 @@ "id": 1824 } }, - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_guid": "{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}", "provider_name": "Microsoft-Windows-Eventlog", "record_id": "14224", "task": "Log clear", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json index 72250f42747b..baf58e5e7d16 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json @@ -26,7 +26,6 @@ }, "message": "The security log is now full.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_id": "1104", @@ -40,7 +39,7 @@ "id": 1444 } }, - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_guid": "{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}", "provider_name": "Microsoft-Windows-Eventlog", "record_id": "19352", "task": "Event processing" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json index 0fd4278b24f9..1982c1a45360 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json @@ -26,7 +26,6 @@ }, "message": "Event log automatic backup\n\tLog:\tSecurity\n\tFile:\tC:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_id": "1105", @@ -40,7 +39,7 @@ "id": 1484 } }, - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_guid": "{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}", "provider_name": "Microsoft-Windows-Eventlog", "record_id": "18197", "task": "Log automatic backup", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json index 3896d299bcae..0708534f99a1 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x56c\n\nProcess:\n\tProcess ID:\t0x2fc\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;GA;;;NS)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", + "message": "Permissions on an object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tToken\n\tObject Name:\t-\n\tHandle ID:\t0x56c\n\nProcess:\n\tProcess ID:\t0x2fc\n\tProcess Name:\tC:\\Windows\\System32\\services.exe\n\nPermissions Change:\n\tOriginal Security Descriptor:\tD:(A;;GA;;;SY)(A;;GA;;;NS)\n\tNew Security Descriptor:\tD:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", "process": { "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", @@ -43,7 +43,6 @@ "name": "WIN-BVM4LI1L1Q6$" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -77,7 +76,7 @@ "id": 4604 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "31932", "task": "Authorization Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json index 08d1e9e963bb..64b1d176053b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json @@ -24,7 +24,7 @@ "log": { "level": "information" }, - "message": "A new trust was created to a domain.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6A868\n\nTrusted Domain:\n\tDomain Name:\t\t192.168.230.153\n\tDomain ID:\t\tS-1-0-0\n\nTrust Information:\n\tTrust Type:\t\t3\n\tTrust Direction:\t\t3\n\tTrust Attributes:\t\t1\n\tSID Filtering:\t\tDisabled", + "message": "A new trust was created to a domain.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6a868\n\nTrusted Domain:\n\tDomain Name:\t\t192.168.230.153\n\tDomain ID:\t\tS-1-0-0\n\nTrust Information:\n\tTrust Type:\t\t3\n\tTrust Direction:\t\t3\n\tTrust Attributes:\t\t1\n\tSID Filtering:\t\tDisabled", "related": { "user": [ "Administrator" @@ -36,14 +36,13 @@ "name": "Administrator" }, "winlog": { - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", - "api": "wineventlog", + "activity_id": "{BE129571-63F8-0000-A795-12BEF863D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { "DomainName": "192.168.230.153", "DomainSid": "S-1-0-0", - "SidFilteringEnabled": "%%1796", + "SidFilteringEnabled": "Disabled", "SubjectDomainName": "TEST", "SubjectLogonId": "0x6a868", "SubjectUserName": "Administrator", @@ -66,7 +65,7 @@ "id": 3056 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "6017", "task": "Authentication Policy Change", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json index 55b0f03274f1..86b4169c1c90 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json @@ -24,7 +24,7 @@ "log": { "level": "information" }, - "message": "A trust to a domain was removed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6A868\n\nDomain Information:\n\tDomain Name:\t\t192.168.230.153\n\tDomain ID:\t\tS-1-0-0", + "message": "A trust to a domain was removed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6a868\n\nDomain Information:\n\tDomain Name:\t\t192.168.230.153\n\tDomain ID:\t\tS-1-0-0", "related": { "user": [ "Administrator" @@ -36,7 +36,6 @@ "name": "Administrator" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -61,7 +60,7 @@ "id": 2012 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "13679", "task": "Authentication Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json index 6e14de618248..05971082abeb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json @@ -24,7 +24,7 @@ "log": { "level": "information" }, - "message": "Kerberos policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nChanges Made:\n('--' means no changes, otherwise each change is shown as:\n(Parameter Name):\t(new value) (old value))\nKerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", + "message": "Kerberos policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nChanges Made:\n('--' means no changes, otherwise each change is shown as:\n(Parameter Name):\t(new value) (old value))\nKerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", "related": { "user": [ "WIN-BVM4LI1L1Q6$" @@ -36,8 +36,7 @@ "name": "WIN-BVM4LI1L1Q6$" }, "winlog": { - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", - "api": "wineventlog", + "activity_id": "{BE129571-63F8-0000-A795-12BEF863D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -61,7 +60,7 @@ "id": 2012 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "21265", "task": "Authentication Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json index e11018510a4f..91ca0e97c698 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json @@ -24,7 +24,7 @@ "log": { "level": "information" }, - "message": "Trusted domain information was modified.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6A868\n\nTrusted Domain:\n\tDomain Name:\t\t-\n\tDomain ID:\t\tS-1-0-0\n\nNew Trust Information:\n\tTrust Type:\t\t3\n\tTrust Direction:\t\t3\n\tTrust Attributes:\t\t1\n\tSID Filtering:\t\t-", + "message": "Trusted domain information was modified.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x6a868\n\nTrusted Domain:\n\tDomain Name:\t\t-\n\tDomain ID:\t\tS-1-0-0\n\nNew Trust Information:\n\tTrust Type:\t\t3\n\tTrust Direction:\t\t3\n\tTrust Attributes:\t\t1\n\tSID Filtering:\t\t-", "related": { "user": [ "Administrator" @@ -36,8 +36,7 @@ "name": "Administrator" }, "winlog": { - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", - "api": "wineventlog", + "activity_id": "{BE129571-63F8-0000-A795-12BEF863D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -66,7 +65,7 @@ "id": 3776 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "14929", "task": "Authentication Policy Change", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json index 231a35064e55..fa1d95cf168c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "System security access was granted to an account.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nAccount Modified:\n\tAccount Name:\t\tS-1-5-9\n\nAccess Granted:\n\tAccess Right:\t\tSeNetworkLogonRight", + "message": "System security access was granted to an account.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nAccount Modified:\n\tAccount Name:\t\tS-1-5-9\n\nAccess Granted:\n\tAccess Right:\t\tSeNetworkLogonRight", "related": { "user": [ "WIN-BVM4LI1L1Q6$" @@ -38,8 +38,7 @@ "name": "WIN-BVM4LI1L1Q6$" }, "winlog": { - "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", - "api": "wineventlog", + "activity_id": "{B69BB9FF-63F5-0000-35BA-9BB6F563D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6", "event_data": { @@ -64,7 +63,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1571", "task": "Authentication Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json index 48cb2f747853..46fdd4dcb2be 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "System security access was removed from an account.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nAccount Modified:\n\tAccount Name:\t\tS-1-5-32-545\n\nAccess Removed:\n\tAccess Right:\t\tSeNetworkLogonRight", + "message": "System security access was removed from an account.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nAccount Modified:\n\tAccount Name:\t\tS-1-5-32-545\n\nAccess Removed:\n\tAccess Right:\t\tSeNetworkLogonRight", "related": { "user": [ "WIN-BVM4LI1L1Q6$" @@ -38,8 +38,7 @@ "name": "WIN-BVM4LI1L1Q6$" }, "winlog": { - "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", - "api": "wineventlog", + "activity_id": "{B69BB9FF-63F5-0000-35BA-9BB6F563D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6", "event_data": { @@ -64,7 +63,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1565", "task": "Authentication Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json index b034d8caa038..d547ce768a87 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "System audit policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\nAudit Policy Change:\n\tCategory:\t\tLogon/Logoff\n\tSubcategory:\t\tNetwork Policy Server\n\tSubcategory GUID:\t{0cce9243-69ae-11d9-bed3-505054503030}\n\tChanges:\t\tSuccess Added, Failure added", + "message": "System audit policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3e7\n\nAudit Policy Change:\n\tCategory:\t\tLogon/Logoff\n\tSubcategory:\t\tNetwork Policy Server\n\tSubcategory GUID:\t{0CCE9243-69AE-11D9-BED3-505054503030}\n\tChanges:\t\tSuccess Added, Failure added", "related": { "user": [ "WIN-41OB2LO92CR$" @@ -38,21 +38,20 @@ "name": "WIN-41OB2LO92CR$" }, "winlog": { - "activity_id": "{3eef0a0d-9551-0000-140c-ef3e5195d501}", - "api": "wineventlog", + "activity_id": "{3EEF0A0D-9551-0000-140C-EF3E5195D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { - "AuditPolicyChanges": "%%8449, %%8451", + "AuditPolicyChanges": "Success Added, Failure added", "AuditPolicyChangesDescription": [ "Success Added", - "Failure Added" + "Failure added" ], "Category": "Logon/Logoff", - "CategoryId": "%%8273", + "CategoryId": "Logon/Logoff", "SubCategory": "Network Policy Server", - "SubcategoryGuid": "{0cce9243-69ae-11d9-bed3-505054503030}", - "SubcategoryId": "%%12552", + "SubcategoryGuid": "{0CCE9243-69AE-11D9-BED3-505054503030}", + "SubcategoryId": "Network Policy Server", "SubjectDomainName": "WLBEAT", "SubjectLogonId": "0x3e7", "SubjectUserName": "WIN-41OB2LO92CR$", @@ -72,7 +71,7 @@ "id": 2944 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "17154", "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json index 770bb463c1a5..5e6c920747f9 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "System audit policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x44D7D\n\nAudit Policy Change:\n\tCategory:\t\tObject Access\n\tSubcategory:\t\tOther Object Access Events\n\tSubcategory GUID:\t{0cce9227-69ae-11d9-bed3-505054503030}\n\tChanges:\t\tSuccess removed", + "message": "System audit policy was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-2024912787-2692429404-2351956786-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x44d7d\n\nAudit Policy Change:\n\tCategory:\t\tObject Access\n\tSubcategory:\t\tOther Object Access Events\n\tSubcategory GUID:\t{0CCE9227-69AE-11D9-BED3-505054503030}\n\tChanges:\t\tSuccess removed", "related": { "user": [ "Administrator" @@ -38,20 +38,19 @@ "name": "Administrator" }, "winlog": { - "activity_id": "{65461d39-753f-0000-731d-46653f75d601}", - "api": "wineventlog", + "activity_id": "{65461D39-753F-0000-731D-46653F75D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { - "AuditPolicyChanges": "%%8448", + "AuditPolicyChanges": "Success removed", "AuditPolicyChangesDescription": [ "Success removed" ], "Category": "Object Access", - "CategoryId": "%%8274", + "CategoryId": "Object Access", "SubCategory": "Other Object Access Events", - "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}", - "SubcategoryId": "%%12804", + "SubcategoryGuid": "{0CCE9227-69AE-11D9-BED3-505054503030}", + "SubcategoryId": "Other Object Access Events", "SubjectDomainName": "TEST", "SubjectLogonId": "0x44d7d", "SubjectUserName": "Administrator", @@ -71,7 +70,7 @@ "id": 2764 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "123879", "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json index 04b96ac55831..79a92a9cb7e7 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json @@ -24,7 +24,7 @@ "log": { "level": "information" }, - "message": "Domain Policy was changed.\n\nChange Type:\t\tPassword Policy modified\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nDomain:\n\tDomain Name:\t\tTEST\n\tDomain ID:\t\tS-1-5-21-2024912787-2692429404-2351956786\n\nChanged Attributes:\n\tMin. Password Age:\t\n\tMax. Password Age:\t\n\tForce Logoff:\t\t\n\tLockout Threshold:\t\n\tLockout Observation Window:\t\n\tLockout Duration:\t\n\tPassword Properties:\t\n\tMin. Password Length:\t\n\tPassword History Length:\t-\n\tMachine Account Quota:\t-\n\tMixed Domain Mode:\t-\n\tDomain Behavior Version:\t-\n\tOEM Information:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "Domain Policy was changed.\n\nChange Type:\t\tPassword Policy modified\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nDomain:\n\tDomain Name:\t\tTEST\n\tDomain ID:\t\tS-1-5-21-2024912787-2692429404-2351956786\n\nChanged Attributes:\n\tMin. Password Age:\t\n\tMax. Password Age:\t\n\tForce Logoff:\t\t\n\tLockout Threshold:\t\n\tLockout Observation Window:\t\n\tLockout Duration:\t\n\tPassword Properties:\t\n\tMin. Password Length:\t\n\tPassword History Length:\t-\n\tMachine Account Quota:\t-\n\tMixed Domain Mode:\t-\n\tDomain Behavior Version:\t-\n\tOEM Information:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "WIN-BVM4LI1L1Q6$" @@ -36,7 +36,6 @@ "name": "WIN-BVM4LI1L1Q6$" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -68,7 +67,7 @@ "id": 812 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3532", "task": "Authentication Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json index b2451c6b75bf..9a7abec68a1a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "A computer account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nNew Computer Account:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\tTESTCOMPUTEROBJ$\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t515\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x85\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Workstation Trust Account' - Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t\u003cvalue not set\u003e\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges\t\t-", + "message": "A computer account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nNew Computer Account:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\tTESTCOMPUTEROBJ$\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t515\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x85\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Workstation Trust Account' - Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t\u003cvalue not set\u003e\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges\t\t-", "related": { "user": [ "at_adm" @@ -37,7 +37,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computerObject": { "domain": "TEST", @@ -46,13 +45,13 @@ }, "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { - "AccountExpires": "%%1794", + "AccountExpires": "\u003cnever\u003e", "AllowedToDelegateTo": "-", "DisplayName": "-", "DnsHostName": "-", "HomeDirectory": "-", "HomePath": "-", - "LogonHours": "%%1793", + "LogonHours": "\u003cvalue not set\u003e", "NewUACList": [ "USER_ACCOUNT_DISABLED", "USER_PASSWORD_NOT_REQUIRED", @@ -60,7 +59,7 @@ ], "NewUacValue": "0x85", "OldUacValue": "0x0", - "PasswordLastSet": "%%1794", + "PasswordLastSet": "\u003cnever\u003e", "PrimaryGroupId": "515", "PrivilegeList": [ "-" @@ -78,9 +77,9 @@ "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", "TargetUserName": "TESTCOMPUTEROBJ$", "UserAccountControl": [ - "2080", - "2082", - "2087" + "Account Disabled", + "'Password Not Required' - Enabled", + "'Workstation Trust Account' - Enabled" ], "UserParameters": "-", "UserPrincipalName": "-", @@ -100,7 +99,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3699929", "task": "Computer Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json index 4233d2fec7a8..48c266b8774f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "A computer account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nComputer Account That Was Changed:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t-\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x85\n\tNew UAC Value:\t\t0x84\n\tUser Account Control:\t\n\t\tAccount Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A computer account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nComputer Account That Was Changed:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tDisplay Name:\t\t-\n\tUser Principal Name:\t-\n\tHome Directory:\t\t-\n\tHome Drive:\t\t-\n\tScript Path:\t\t-\n\tProfile Path:\t\t-\n\tUser Workstations:\t-\n\tPassword Last Set:\t-\n\tAccount Expires:\t\t-\n\tPrimary Group ID:\t-\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x85\n\tNew UAC Value:\t\t0x84\n\tUser Account Control:\t\n\t\tAccount Enabled\n\tUser Parameters:\t-\n\tSID History:\t\t-\n\tLogon Hours:\t\t-\n\tDNS Host Name:\t\t-\n\tService Principal Names:\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "at_adm" @@ -37,7 +37,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computerObject": { "domain": "TEST", @@ -78,7 +77,7 @@ "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", "TargetUserName": "TESTCOMPUTEROBJ$", "UserAccountControl": [ - "2048" + "Account Enabled" ], "UserParameters": "-", "UserPrincipalName": "-", @@ -98,7 +97,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3699934", "task": "Computer Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json index b7cd00dd8bfd..5e31341a0a68 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "A computer account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nTarget Computer:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A computer account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nTarget Computer:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2902\n\tAccount Name:\t\tTESTCOMPUTEROBJ$\n\tAccount Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "at_adm" @@ -37,7 +37,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computerObject": { "domain": "TEST", @@ -71,7 +70,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3699966", "task": "Computer Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json index 14340f1898d9..10b19723cc18 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-disabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestdistlocal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestdistlocal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "at_adm" @@ -42,7 +42,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -71,7 +70,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3699973", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json index cb0b005fc8e9..581a68898a63 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-disabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestdistlocal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestdistlocal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "at_adm" @@ -42,7 +42,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -71,7 +70,7 @@ "id": 1076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3700000", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json index 8922fa5b1d65..dcc3e2c9525d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A member was added to a security-disabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was added to a security-disabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator", @@ -52,7 +52,6 @@ } }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -81,7 +80,7 @@ "id": 1076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3700022", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json index 5e85e85cb347..b98e5c3aa901 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A member was removed from a security-disabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was removed from a security-disabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator", @@ -52,7 +52,6 @@ } }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -81,7 +80,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3700064", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json index b3212145129d..5710e63ea776 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-disabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2903\n\tGroup Name:\t\ttestdistlocal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "at_adm" @@ -42,7 +42,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -69,7 +68,7 @@ "id": 1076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3707490", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json index a85446eede79..3fa551ed906a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-disabled global group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestglobal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled global group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestglobal\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "at_adm" @@ -42,7 +42,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -71,7 +70,7 @@ "id": 1348 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3707497", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json index f66b9e93c991..de5da8db2413 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-disabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestglobal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestglobal1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "at_adm" @@ -42,7 +42,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -71,7 +70,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3707550", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json index 981b0e942994..e08c6d69cd43 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A member was added to a security-disabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was added to a security-disabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator", @@ -52,7 +52,6 @@ } }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -81,7 +80,7 @@ "id": 1076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3707667", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json index 1aae64679089..7f761d861f7e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A member was removed from a security-disabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was removed from a security-disabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator", @@ -52,7 +52,6 @@ } }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -81,7 +80,7 @@ "id": 1076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3707686", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json index 46d6bb0e394b..990644b55d19 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-disabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2904\n\tGroup Name:\t\ttestglobal1\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "at_adm" @@ -42,7 +42,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -69,7 +68,7 @@ "id": 1076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3707709", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json index ba25270a4c80..7cc773fd0f0a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-disabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestuni\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni\n\tGroup Domain:\t\tTEST\n\nAttributes:\n\tSAM Account Name:\ttestuni\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "at_adm" @@ -42,7 +42,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -71,7 +70,7 @@ "id": 1348 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3707737", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json index d316a4133ec8..6b1558b8fb9b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-disabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestuni2\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nChanged Attributes:\n\tSAM Account Name:\ttestuni2\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "at_adm" @@ -42,7 +42,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -71,7 +70,7 @@ "id": 664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3707745", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json index 9c37bd371f07..109f5487a23b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A member was added to a security-disabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was added to a security-disabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator", @@ -52,7 +52,6 @@ } }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -81,7 +80,7 @@ "id": 1348 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3707755", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json index 4bfe930b0da3..ffbeb8b1c15e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A member was removed from a security-disabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was removed from a security-disabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=TEST,DC=SAAS\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator", @@ -52,7 +52,6 @@ } }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -81,7 +80,7 @@ "id": 1348 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3707841", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json index 780b65bd7ef3..2165a06fda9e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-disabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2E67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-disabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x2e67800\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2905\n\tGroup Name:\t\ttestuni2\n\tGroup Domain:\t\tTEST\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "at_adm" @@ -42,7 +42,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -69,7 +68,7 @@ "id": 1348 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3707847", "task": "Distribution Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json index cb3a98d3882c..9f3dfc9f046f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "Auditing settings on object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tLSA\n\tObject Type:\tGlobal SACL\n\tObject Name:\tFile\n\nAuditing Settings:\n\tOriginal Security Descriptor:\t\n\tNew Security Descriptor:\t\tS:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", + "message": "Auditing settings on object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nObject:\n\tObject Server:\tLSA\n\tObject Type:\tGlobal SACL\n\tObject Name:\tFile\n\nAuditing Settings:\n\tOriginal Security Descriptor:\t\n\tNew Security Descriptor:\t\tS:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", "related": { "user": [ "WIN-BVM4LI1L1Q6$", @@ -39,8 +39,7 @@ "name": "WIN-BVM4LI1L1Q6$" }, "winlog": { - "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}", - "api": "wineventlog", + "activity_id": "{DFCD2C2A-7481-0000-682C-CDDF8174D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -69,7 +68,7 @@ "id": 3052 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "114278", "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json index 5c6dab0f41dc..cc5b83bb59e5 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json @@ -26,9 +26,8 @@ "log": { "level": "information" }, - "message": "The Per-user audit policy table was created.\n\nNumber of Elements:\t0\nPolicy ID:\t0x9FD2", + "message": "The Per-user audit policy table was created.\n\nNumber of Elements:\t0\nPolicy ID:\t0x9fd2", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -46,7 +45,7 @@ "id": 832 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "140273", "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json index c91fd476614c..ec1af11057ff 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "An attempt was made to register a security event source.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nProcess:\n\tProcess ID:\t0xe18\n\tProcess Name:\tC:\\Windows\\System32\\inetsrv\\inetinfo.exe\n\nEvent Source:\n\tSource Name:\tIIS-METABASE\n\tEvent Source ID:\t0x460422", + "message": "An attempt was made to register a security event source.\n\nSubject :\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nProcess:\n\tProcess ID:\t0xe18\n\tProcess Name:\tC:\\Windows\\System32\\inetsrv\\inetinfo.exe\n\nEvent Source:\n\tSource Name:\tIIS-METABASE\n\tEvent Source ID:\t0x460422", "process": { "executable": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe", "name": "inetinfo.exe", @@ -43,8 +43,7 @@ "name": "WIN-BVM4LI1L1Q6$" }, "winlog": { - "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", - "api": "wineventlog", + "activity_id": "{DAB46F85-75EE-0000-C36F-B4DAEE75D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -69,7 +68,7 @@ "id": 824 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "146939", "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json index 4eb0139038c2..5d6c75b55031 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "An attempt was made to unregister a security event source.\n\nSubject\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nProcess:\n\tProcess ID:\t0x1364\n\tProcess Name:\t-\n\nEvent Source:\n\tSource Name:\tIIS-METABASE\n\tEvent Source ID:\t0x457B22", + "message": "An attempt was made to unregister a security event source.\n\nSubject\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nProcess:\n\tProcess ID:\t0x1364\n\tProcess Name:\t-\n\nEvent Source:\n\tSource Name:\tIIS-METABASE\n\tEvent Source ID:\t0x457b22", "process": { "executable": "-", "name": "-", @@ -43,8 +43,7 @@ "name": "WIN-BVM4LI1L1Q6$" }, "winlog": { - "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", - "api": "wineventlog", + "activity_id": "{DAB46F85-75EE-0000-C36F-B4DAEE75D601}", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -69,7 +68,7 @@ "id": 824 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "146938", "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json index 2e71ca0361d6..861be0f18576 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json @@ -28,7 +28,6 @@ }, "message": "The CrashOnAuditFail value has changed.\n\nNew Value of CrashOnAuditFail:\t1", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -45,7 +44,7 @@ "id": 804 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "123786", "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json index 8ec45c3dbd8a..1596c1a5d029 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "Auditing settings on object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1\n\tHandle ID:\t0x93c\n\nProcess Information:\n\tProcess ID:\t0x10cc\n\tProcess Name:\tC:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe\n\nAuditing Settings:\n\tOriginal Security Descriptor:\t\n\tNew Security Descriptor:\t\tS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", + "message": "Auditing settings on object were changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-BVM4LI1L1Q6$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1\n\tHandle ID:\t0x93c\n\nProcess Information:\n\tProcess ID:\t0x10cc\n\tProcess Name:\tC:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe\n\nAuditing Settings:\n\tOriginal Security Descriptor:\t\n\tNew Security Descriptor:\t\tS:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", "process": { "executable": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe", "name": "TiWorker.exe", @@ -43,7 +43,6 @@ "name": "WIN-BVM4LI1L1Q6$" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -72,7 +71,7 @@ "id": 408 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "146933", "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json index 9acba8df75c4..28ad27ec5a67 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json @@ -28,7 +28,6 @@ }, "message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.", "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { @@ -52,7 +51,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "140274", "task": "Audit Policy Change" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4673.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4673.golden.json index b1724e0f4c63..79b51a441b8d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4673.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4673.golden.json @@ -24,7 +24,7 @@ "log": { "level": "information" }, - "message": "A privileged service was called.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tDC_TEST2K12$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3E7\n\nService:\n\tServer:\tNT Local Security Authority / Authentication Service\n\tService Name:\tLsaRegisterLogonProcess()\n\nProcess:\n\tProcess ID:\t0x1f0\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\n\nService Request Information:\n\tPrivileges:\t\tSeTcbPrivilege", + "message": "A privileged service was called.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tDC_TEST2K12$\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x3e7\n\nService:\n\tServer:\tNT Local Security Authority / Authentication Service\n\tService Name:\tLsaRegisterLogonProcess()\n\nProcess:\n\tProcess ID:\t0x1f0\n\tProcess Name:\tC:\\Windows\\System32\\lsass.exe\n\nService Request Information:\n\tPrivileges:\t\tSeTcbPrivilege", "process": { "executable": "C:\\Windows\\System32\\lsass.exe", "name": "lsass.exe", @@ -41,7 +41,6 @@ "name": "DC_TEST2K12$" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -69,7 +68,7 @@ "id": 504 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5109160", "task": "Sensitive Privilege Use" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4674.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4674.golden.json index 15e95215432b..e0454071eab9 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4674.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4674.golden.json @@ -24,7 +24,7 @@ "log": { "level": "information" }, - "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x8AA365B\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1ee0\n\nProcess Information:\n\tProcess ID:\t0x374\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\t\t\t\t\n\tPrivileges:\t\tSeSecurityPrivilege", + "message": "An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x8aa365b\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tFile\n\tObject Name:\tC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\Server Manager Performance Monitor\n\tObject Handle:\t0x1ee0\n\nProcess Information:\n\tProcess ID:\t0x374\n\tProcess Name:\tC:\\Windows\\System32\\svchost.exe\n\nRequested Operation:\n\tDesired Access:\tREAD_CONTROL\n\t\t\t\tACCESS_SYS_SEC\n\t\t\t\t\n\tPrivileges:\t\tSeSecurityPrivilege", "process": { "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", @@ -41,13 +41,12 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { "AccessMask": [ - "%%1538", - "%%1542" + "READ_CONTROL", + "ACCESS_SYS_SEC" ], "AccessMaskDescription": [ "Delete Child", @@ -79,7 +78,7 @@ "id": 504 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5109140", "task": "Sensitive Privilege Use" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4697.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4697.golden.json index 4583f47bf551..f17d808210d8 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4697.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4697.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4C323\n\nService Information:\n\tService Name: \t\twinlogbeat\n\tService File Name:\t\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true\n\tService Type: \t\t0x10\n\tService Start Type:\t2\n\tService Account: \t\tLocalSystem", + "message": "A service was installed in the system.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4c323\n\nService Information:\n\tService Name: \t\twinlogbeat\n\tService File Name:\t\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true\n\tService Type: \t\t0x10\n\tService Start Type:\t2\n\tService Account: \t\tLocalSystem", "related": { "user": [ "Administrator" @@ -42,8 +42,7 @@ "name": "Administrator" }, "winlog": { - "activity_id": "{74b64d41-08ce-0000-454f-b674ce08d601}", - "api": "wineventlog", + "activity_id": "{74B64D41-08CE-0000-454F-B674CE08D601}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -71,7 +70,7 @@ "id": 2492 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "90108", "task": "Security System Extension" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4698.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4698.golden.json index cb07d880e629..ed052f5494cc 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4698.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4698.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "A scheduled task was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "message": "A scheduled task was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60d1ca6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "related": { "user": [ "at_adm" @@ -38,7 +38,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -63,7 +62,7 @@ "id": 3684 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5043782", "task": "Other Object Access Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4699.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4699.golden.json index b3c26a4f56ad..f25ce8345f4e 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4699.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4699.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "A scheduled task was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "message": "A scheduled task was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60d1ca6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "related": { "user": [ "at_adm" @@ -38,7 +38,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -63,7 +62,7 @@ "id": 3684 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5043801", "task": "Other Object Access Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4700.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4700.golden.json index 8ad5f4600d3a..6df4512e1f59 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4700.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4700.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "A scheduled task was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "message": "A scheduled task was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60d1ca6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "related": { "user": [ "at_adm" @@ -38,7 +38,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -63,7 +62,7 @@ "id": 3684 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5043792", "task": "Other Object Access Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4701.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4701.golden.json index cc62f8e6c6eb..a1a43298ad25 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4701.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4701.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "A scheduled task was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003efalse\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "message": "A scheduled task was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60d1ca6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003efalse\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\mspaint.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "related": { "user": [ "at_adm" @@ -38,7 +38,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -63,7 +62,7 @@ "id": 3684 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5043789", "task": "Other Object Access Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4702.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4702.golden.json index 2352de8c4945..a848d565d18a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4702.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4702.golden.json @@ -26,7 +26,7 @@ "log": { "level": "information" }, - "message": "A scheduled task was updated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CA6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask New Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", + "message": "A scheduled task was updated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1717121054-434620538-60925301-2794\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60d1ca6\n\nTask Information:\n\tTask Name: \t\t\\test1\n\tTask New Content: \t\t\u003c?xml version=\"1.0\" encoding=\"UTF-16\"?\u003e\n\u003cTask version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\"\u003e\n \u003cRegistrationInfo\u003e\n \u003cDate\u003e2020-04-01T16:34:34.574883\u003c/Date\u003e\n \u003cAuthor\u003eTEST\\at_adm\u003c/Author\u003e\n \u003c/RegistrationInfo\u003e\n \u003cTriggers\u003e\n \u003cTimeTrigger\u003e\n \u003cStartBoundary\u003e2020-04-01T16:33:41.3123848\u003c/StartBoundary\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003c/TimeTrigger\u003e\n \u003c/Triggers\u003e\n \u003cPrincipals\u003e\n \u003cPrincipal id=\"Author\"\u003e\n \u003cRunLevel\u003eLeastPrivilege\u003c/RunLevel\u003e\n \u003cUserId\u003eTEST\\at_adm\u003c/UserId\u003e\n \u003cLogonType\u003eInteractiveToken\u003c/LogonType\u003e\n \u003c/Principal\u003e\n \u003c/Principals\u003e\n \u003cSettings\u003e\n \u003cMultipleInstancesPolicy\u003eIgnoreNew\u003c/MultipleInstancesPolicy\u003e\n \u003cDisallowStartIfOnBatteries\u003etrue\u003c/DisallowStartIfOnBatteries\u003e\n \u003cStopIfGoingOnBatteries\u003etrue\u003c/StopIfGoingOnBatteries\u003e\n \u003cAllowHardTerminate\u003etrue\u003c/AllowHardTerminate\u003e\n \u003cStartWhenAvailable\u003efalse\u003c/StartWhenAvailable\u003e\n \u003cRunOnlyIfNetworkAvailable\u003efalse\u003c/RunOnlyIfNetworkAvailable\u003e\n \u003cIdleSettings\u003e\n \u003cStopOnIdleEnd\u003etrue\u003c/StopOnIdleEnd\u003e\n \u003cRestartOnIdle\u003efalse\u003c/RestartOnIdle\u003e\n \u003c/IdleSettings\u003e\n \u003cAllowStartOnDemand\u003etrue\u003c/AllowStartOnDemand\u003e\n \u003cEnabled\u003etrue\u003c/Enabled\u003e\n \u003cHidden\u003efalse\u003c/Hidden\u003e\n \u003cRunOnlyIfIdle\u003efalse\u003c/RunOnlyIfIdle\u003e\n \u003cWakeToRun\u003efalse\u003c/WakeToRun\u003e\n \u003cExecutionTimeLimit\u003eP3D\u003c/ExecutionTimeLimit\u003e\n \u003cPriority\u003e7\u003c/Priority\u003e\n \u003c/Settings\u003e\n \u003cActions Context=\"Author\"\u003e\n \u003cExec\u003e\n \u003cCommand\u003e%windir%\\system32\\calc.exe\u003c/Command\u003e\n \u003c/Exec\u003e\n \u003c/Actions\u003e\n\u003c/Task\u003e\n\t", "related": { "user": [ "at_adm" @@ -38,7 +38,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -63,7 +62,7 @@ "id": 1284 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5043795", "task": "Other Object Access Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4768.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4768.golden.json index c1c40241415d..edfcfdafd31a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4768.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4768.golden.json @@ -46,7 +46,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -79,7 +78,7 @@ "id": 2868 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5040235", "task": "Kerberos Authentication Service" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4769.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4769.golden.json index ddf98ed0b7cd..581aa06da469 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4769.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4769.golden.json @@ -24,7 +24,7 @@ "log": { "level": "information" }, - "message": "A Kerberos service ticket was requested.\n\nAccount Information:\n\tAccount Name:\t\tat_adm@TEST.SAAS\n\tAccount Domain:\t\tTEST.SAAS\n\tLogon GUID:\t\t{46f85809-d26e-96f5-fbf2-73bd761a2d68}\n\nService Information:\n\tService Name:\t\tDC_TEST2K12$\n\tService ID:\t\tS-1-5-21-1717121054-434620538-60925301-1110\n\nNetwork Information:\n\tClient Address:\t\t::1\n\tClient Port:\t\t0\n\nAdditional Information:\n\tTicket Options:\t\t0x40810000\n\tTicket Encryption Type:\t0x12\n\tFailure Code:\t\t0x0\n\tTransited Services:\t-\n\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\n\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\n\nTicket options, encryption types, and failure codes are defined in RFC 4120.", + "message": "A Kerberos service ticket was requested.\n\nAccount Information:\n\tAccount Name:\t\tat_adm@TEST.SAAS\n\tAccount Domain:\t\tTEST.SAAS\n\tLogon GUID:\t\t{46F85809-D26E-96F5-FBF2-73BD761A2D68}\n\nService Information:\n\tService Name:\t\tDC_TEST2K12$\n\tService ID:\t\tS-1-5-21-1717121054-434620538-60925301-1110\n\nNetwork Information:\n\tClient Address:\t\t::1\n\tClient Port:\t\t0\n\nAdditional Information:\n\tTicket Options:\t\t0x40810000\n\tTicket Encryption Type:\t0x12\n\tFailure Code:\t\t0x0\n\tTransited Services:\t-\n\nThis event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.\n\nThis event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.\n\nTicket options, encryption types, and failure codes are defined in RFC 4120.", "related": { "ip": [ "::1" @@ -45,11 +45,10 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { - "LogonGuid": "{46f85809-d26e-96f5-fbf2-73bd761a2d68}", + "LogonGuid": "{46F85809-D26E-96F5-FBF2-73BD761A2D68}", "ServiceName": "DC_TEST2K12$", "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-1110", "Status": "0x0", @@ -77,7 +76,7 @@ "id": 2868 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5040236", "task": "Kerberos Service Ticket Operations" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4770.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4770.golden.json index d76e139ac7a0..1feb88ec7d35 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4770.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4770.golden.json @@ -45,7 +45,6 @@ "name": "DC_TEST2K12$" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -72,7 +71,7 @@ "id": 4468 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5039598", "task": "Kerberos Service Ticket Operations" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4771.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4771.golden.json index 8ac4835eb362..47530545d71f 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4771.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4771.golden.json @@ -45,7 +45,6 @@ "name": "MPUIG" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -74,7 +73,7 @@ "id": 4552 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5027836", "task": "Kerberos Authentication Service" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4776.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4776.golden.json index e9ee05ee05c4..35a91707f7e3 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4776.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4776.golden.json @@ -34,7 +34,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -59,7 +58,7 @@ "id": 1864 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5040222", "task": "Credential Validation" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4778.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4778.golden.json index da716047cdd2..702e036b24ee 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4778.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4778.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "A session was reconnected to a Window Station.\n\nSubject:\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x76FEA87\n\nSession:\n\tSession Name:\t\tRDP-Tcp#127\n\nAdditional Information:\n\tClient Name:\t\tEQP01777\n\tClient Address:\t\t10.100.150.9\n\nThis event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching.", + "message": "A session was reconnected to a Window Station.\n\nSubject:\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x76fea87\n\nSession:\n\tSession Name:\t\tRDP-Tcp#127\n\nAdditional Information:\n\tClient Name:\t\tEQP01777\n\tClient Address:\t\t10.100.150.9\n\nThis event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching.", "related": { "ip": [ "10.100.150.9" @@ -43,7 +43,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -68,7 +67,7 @@ "id": 4184 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5101675", "task": "Other Logon/Logoff Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4779.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4779.golden.json index fb96fcfc2a69..b87c03adc539 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4779.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4779.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "A session was disconnected from a Window Station.\n\nSubject:\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60D1CCB\n\nSession:\n\tSession Name:\t\tRDP-Tcp#116\n\nAdditional Information:\n\tClient Name:\t\tEQP01777\n\tClient Address:\t\t10.100.150.17\n\n\nThis event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.", + "message": "A session was disconnected from a Window Station.\n\nSubject:\n\tAccount Name:\t\tat_adm\n\tAccount Domain:\t\tTEST\n\tLogon ID:\t\t0x60d1ccb\n\nSession:\n\tSession Name:\t\tRDP-Tcp#116\n\nAdditional Information:\n\tClient Name:\t\tEQP01777\n\tClient Address:\t\t10.100.150.17\n\n\nThis event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.", "related": { "ip": [ "10.100.150.17" @@ -43,7 +43,6 @@ "name": "at_adm" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { @@ -68,7 +67,7 @@ "id": 3852 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5069070", "task": "Other Logon/Logoff Events" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012r2-logon.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012r2-logon.golden.json index ca2e383e6001..a77484fb36a1 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012r2-logon.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012r2-logon.golden.json @@ -24,7 +24,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", @@ -42,12 +42,11 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -80,7 +79,7 @@ "id": 536 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1535", "task": "Logon", @@ -112,7 +111,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", @@ -130,12 +129,11 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -168,7 +166,7 @@ "id": 556 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1538", "task": "Logon", @@ -200,7 +198,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008E\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1c0\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t127.0.0.1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008e\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1c0\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t127.0.0.1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "C:\\Windows\\System32\\winlogon.exe", "name": "winlogon.exe", @@ -226,12 +224,11 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "KeyLength": "0", "LmPackageName": "-", "LogonGuid": "{00000000-0000-0000-0000-000000000000}", @@ -262,7 +259,7 @@ "id": 556 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1542", "task": "Logon", @@ -294,7 +291,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", @@ -312,12 +309,11 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -350,7 +346,7 @@ "id": 556 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1545", "task": "Logon", @@ -382,7 +378,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x129F1\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V1\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-7\n\tAccount Name:\t\tANONYMOUS LOGON\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x129f1\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V1\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "-", "name": "-", @@ -399,12 +395,11 @@ "name": "ANONYMOUS LOGON" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -437,7 +432,7 @@ "id": 556 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1547", "task": "Logon", @@ -469,7 +464,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x28D31\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x28d31\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "-", "name": "-", @@ -486,12 +481,11 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "128", @@ -524,7 +518,7 @@ "id": 556 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1550", "task": "Logon", @@ -556,7 +550,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x29F0F\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x29f0f\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "-", "name": "-", @@ -573,12 +567,11 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "128", @@ -611,7 +604,7 @@ "id": 548 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1553", "task": "Logon", @@ -643,7 +636,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x2A362\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x2a362\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "-", "name": "-", @@ -660,12 +653,11 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "128", @@ -698,7 +690,7 @@ "id": 548 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1556", "task": "Logon", @@ -730,7 +722,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x324F8\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t127.0.0.1\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nLogon Type:\t\t\t3\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x324f8\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x0\n\tProcess Name:\t\t-\n\nNetwork Information:\n\tWorkstation Name:\t127.0.0.1\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tNtLmSsp \n\tAuthentication Package:\tNTLM\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\tNTLM V2\n\tKey Length:\t\t128\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "-", "name": "-", @@ -750,12 +742,11 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "NTLM", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "128", @@ -788,7 +779,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1561", "task": "Logon", @@ -820,7 +811,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-2\n\tAccount Name:\t\tDWM-2\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x33444\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-2\n\tAccount Name:\t\tDWM-2\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x33444\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "C:\\Windows\\System32\\winlogon.exe", "name": "winlogon.exe", @@ -838,12 +829,11 @@ "name": "DWM-2" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -876,7 +866,7 @@ "id": 548 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1563", "task": "Logon", @@ -908,7 +898,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t10\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x3444F\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t10.0.2.2\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t10\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x3444f\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0xafc\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t10.0.2.2\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tUser32 \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "C:\\Windows\\System32\\winlogon.exe", "name": "winlogon.exe", @@ -934,12 +924,11 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "KeyLength": "0", "LmPackageName": "-", "LogonGuid": "{00000000-0000-0000-0000-000000000000}", @@ -970,7 +959,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1567", "task": "Logon", @@ -1002,7 +991,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-3\n\tAccount Name:\t\tDWM-3\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x357FD\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x88c\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t2\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-90-3\n\tAccount Name:\t\tDWM-3\n\tAccount Domain:\t\tWindow Manager\n\tLogon ID:\t\t0x357fd\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x88c\n\tProcess Name:\t\tC:\\Windows\\System32\\winlogon.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "C:\\Windows\\System32\\winlogon.exe", "name": "winlogon.exe", @@ -1020,12 +1009,11 @@ "name": "DWM-3" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -1058,7 +1046,7 @@ "id": 556 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1570", "task": "Logon", @@ -1090,7 +1078,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", @@ -1108,12 +1096,11 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -1146,7 +1133,7 @@ "id": 1132 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1574", "task": "Logon", @@ -1178,7 +1165,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", @@ -1196,12 +1183,11 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -1234,7 +1220,7 @@ "id": 1132 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1576", "task": "Logon", @@ -1266,7 +1252,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", @@ -1284,12 +1270,11 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -1322,7 +1307,7 @@ "id": 504 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1578", "task": "Logon", @@ -1354,7 +1339,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", @@ -1372,12 +1357,11 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -1410,7 +1394,7 @@ "id": 1132 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1581", "task": "Logon", @@ -1442,7 +1426,7 @@ "log": { "level": "information" }, - "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tVAGRANT-2012-R2$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nLogon Type:\t\t\t5\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tSYSTEM\n\tAccount Domain:\t\tNT AUTHORITY\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x1fc\n\tProcess Name:\t\tC:\\Windows\\System32\\services.exe\n\nNetwork Information:\n\tWorkstation Name:\t\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", @@ -1460,12 +1444,11 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "ImpersonationLevel": "%%1833", + "ImpersonationLevel": "Impersonation", "IpAddress": "-", "IpPort": "-", "KeyLength": "0", @@ -1498,7 +1481,7 @@ "id": 344 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1583", "task": "Logon", @@ -1530,7 +1513,7 @@ "log": { "level": "information" }, - "message": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008E\n\nLogon Type:\t\t\t2\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tbosch\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xC000006D\n\tSub Status:\t\t0xC0000064\n\nProcess Information:\n\tCaller Process ID:\t0x344\n\tCaller Process Name:\tC:\\Windows\\System32\\svchost.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t::1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tseclogo\n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "message": "An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3541430928-2051711210-1391384369-1001\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\tLogon ID:\t\t0x1008e\n\nLogon Type:\t\t\t2\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\tbosch\n\tAccount Domain:\t\tVAGRANT-2012-R2\n\nFailure Information:\n\tFailure Reason:\t\tUnknown user name or bad password.\n\tStatus:\t\t\t0xc000006d\n\tSub Status:\t\t0xc0000064\n\nProcess Information:\n\tCaller Process ID:\t0x344\n\tCaller Process Name:\tC:\\Windows\\System32\\svchost.exe\n\nNetwork Information:\n\tWorkstation Name:\tVAGRANT-2012-R2\n\tSource Network Address:\t::1\n\tSource Port:\t\t0\n\nDetailed Authentication Information:\n\tLogon Process:\t\tseclogo\n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", "process": { "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", @@ -1555,12 +1538,11 @@ "name": "bosch" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant-2012-r2", "event_data": { "AuthenticationPackageName": "Negotiate", - "FailureReason": "%%2313", + "FailureReason": "Unknown user name or bad password.", "KeyLength": "0", "LmPackageName": "-", "LogonProcessName": "seclogo", @@ -1596,7 +1578,7 @@ "id": 2756 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "1585", "task": "Logon" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-4672.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-4672.golden.json index a4d6dd612030..b7eecb441394 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-4672.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-4672.golden.json @@ -24,7 +24,7 @@ "log": { "level": "information" }, - "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1766348727-1038078804-3833492317-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2016\n\tLogon ID:\t\t0x76A087\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1766348727-1038078804-3833492317-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2016\n\tLogon ID:\t\t0x76a087\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", "related": { "user": [ "vagrant" @@ -36,8 +36,7 @@ "name": "vagrant" }, "winlog": { - "activity_id": "{3be96152-eefc-0002-c061-e93bfceed301}", - "api": "wineventlog", + "activity_id": "{3BE96152-EEFC-0002-C061-E93BFCEED301}", "channel": "Security", "computer_name": "vagrant-2016", "event_data": { @@ -71,7 +70,7 @@ "id": 636 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "143340", "task": "Special Logon" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-logoff.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-logoff.golden.json index a7fcd4fe171e..83e4a7c656c1 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-logoff.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-logoff.golden.json @@ -24,7 +24,7 @@ "log": { "level": "information" }, - "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x767A77\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x767a77\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", "related": { "user": [ "audittest" @@ -36,7 +36,6 @@ "name": "audittest" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -61,7 +60,7 @@ "id": 540 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "485", "task": "Logoff" @@ -92,7 +91,7 @@ "log": { "level": "information" }, - "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x104A4A6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x104a4a6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", "related": { "user": [ "Administrator" @@ -104,7 +103,6 @@ "name": "Administrator" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -129,7 +127,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "747", "task": "Logoff" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4720_Account_Created.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4720_Account_Created.golden.json index 37cfbae0c189..4c9c4c3f8a07 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4720_Account_Created.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4720_Account_Created.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", + "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", "related": { "user": [ "Administrator", @@ -43,17 +43,16 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { - "AccountExpires": "%%1794", + "AccountExpires": "\u003cnever\u003e", "AllowedToDelegateTo": "-", - "DisplayName": "%%1793", - "HomeDirectory": "%%1793", - "HomePath": "%%1793", - "LogonHours": "%%1797", + "DisplayName": "\u003cvalue not set\u003e", + "HomeDirectory": "\u003cvalue not set\u003e", + "HomePath": "\u003cvalue not set\u003e", + "LogonHours": "All", "NewUACList": [ "USER_ACCOUNT_DISABLED", "USER_PASSWORD_NOT_REQUIRED", @@ -61,12 +60,12 @@ ], "NewUacValue": "0x15", "OldUacValue": "0x0", - "PasswordLastSet": "%%1794", + "PasswordLastSet": "\u003cnever\u003e", "PrimaryGroupId": "513", "PrivilegeList": "-", - "ProfilePath": "%%1793", + "ProfilePath": "\u003cvalue not set\u003e", "SamAccountName": "elastictest1", - "ScriptPath": "%%1793", + "ScriptPath": "\u003cvalue not set\u003e", "SidHistory": "-", "SubjectDomainName": "WIN-41OB2LO92CR", "SubjectLogonId": "0x264b2", @@ -76,13 +75,13 @@ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", "TargetUserName": "elastictest1", "UserAccountControl": [ - "2080", - "2082", - "2084" + "Account Disabled", + "'Password Not Required' - Enabled", + "'Normal Account' - Enabled" ], - "UserParameters": "%%1793", + "UserParameters": "\u003cvalue not set\u003e", "UserPrincipalName": "-", - "UserWorkstations": "%%1793" + "UserWorkstations": "\u003cvalue not set\u003e" }, "event_id": "4720", "keywords": [ @@ -98,7 +97,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2751", "task": "User Account Management" @@ -130,7 +129,7 @@ "log": { "level": "information" }, - "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", + "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-", "related": { "user": [ "Administrator", @@ -148,17 +147,16 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { - "AccountExpires": "%%1794", + "AccountExpires": "\u003cnever\u003e", "AllowedToDelegateTo": "-", - "DisplayName": "%%1793", - "HomeDirectory": "%%1793", - "HomePath": "%%1793", - "LogonHours": "%%1797", + "DisplayName": "\u003cvalue not set\u003e", + "HomeDirectory": "\u003cvalue not set\u003e", + "HomePath": "\u003cvalue not set\u003e", + "LogonHours": "All", "NewUACList": [ "USER_ACCOUNT_DISABLED", "USER_PASSWORD_NOT_REQUIRED", @@ -166,12 +164,12 @@ ], "NewUacValue": "0x15", "OldUacValue": "0x0", - "PasswordLastSet": "%%1794", + "PasswordLastSet": "\u003cnever\u003e", "PrimaryGroupId": "513", "PrivilegeList": "-", - "ProfilePath": "%%1793", + "ProfilePath": "\u003cvalue not set\u003e", "SamAccountName": "audittest0609", - "ScriptPath": "%%1793", + "ScriptPath": "\u003cvalue not set\u003e", "SidHistory": "-", "SubjectDomainName": "WIN-41OB2LO92CR", "SubjectLogonId": "0x264b2", @@ -181,13 +179,13 @@ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", "TargetUserName": "audittest0609", "UserAccountControl": [ - "2080", - "2082", - "2084" + "Account Disabled", + "'Password Not Required' - Enabled", + "'Normal Account' - Enabled" ], - "UserParameters": "%%1793", + "UserParameters": "\u003cvalue not set\u003e", "UserPrincipalName": "-", - "UserWorkstations": "%%1793" + "UserWorkstations": "\u003cvalue not set\u003e" }, "event_id": "4720", "keywords": [ @@ -203,7 +201,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2775", "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4722_Account_Enabled.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4722_Account_Enabled.golden.json index 8acd38ccd8b9..07721d174a84 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4722_Account_Enabled.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4722_Account_Enabled.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "related": { "user": [ "Administrator", @@ -43,8 +43,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -70,7 +69,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2815", "task": "User Account Management" @@ -102,7 +101,7 @@ "log": { "level": "information" }, - "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "related": { "user": [ "Administrator", @@ -120,8 +119,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -147,7 +145,7 @@ "id": 532 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2826", "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4723_Password_Change.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4723_Password_Change.golden.json index 0738a3cac0c8..3f487e030972 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4723_Password_Change.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4723_Password_Change.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", + "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", "related": { "user": [ "Administrator" @@ -42,8 +42,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -70,7 +69,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2838", "task": "User Account Management" @@ -102,7 +101,7 @@ "log": { "level": "information" }, - "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", + "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-", "related": { "user": [ "Administrator" @@ -119,8 +118,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -147,7 +145,7 @@ "id": 532 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2839", "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4724_Password_Reset.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4724_Password_Reset.golden.json index 58663b216186..1833927d02c2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4724_Password_Reset.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4724_Password_Reset.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "related": { "user": [ "Administrator", @@ -43,8 +43,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -70,7 +69,7 @@ "id": 816 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2762", "task": "User Account Management" @@ -102,7 +101,7 @@ "log": { "level": "information" }, - "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "related": { "user": [ "Administrator", @@ -120,8 +119,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -147,7 +145,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2787", "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4725_Account_Disabled.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4725_Account_Disabled.golden.json index 5b50072792db..79790a16dee5 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4725_Account_Disabled.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4725_Account_Disabled.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "related": { "user": [ "Administrator", @@ -43,8 +43,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -70,7 +69,7 @@ "id": 532 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2810", "task": "User Account Management" @@ -102,7 +101,7 @@ "log": { "level": "information" }, - "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "related": { "user": [ "Administrator", @@ -120,8 +119,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -147,7 +145,7 @@ "id": 532 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2820", "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4726_Account_Deleted.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4726_Account_Deleted.golden.json index 9b8a6c9fc01b..0bda306500cd 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4726_Account_Deleted.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4726_Account_Deleted.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1001\n\tAccount Name:\t\taudittest23\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", + "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1001\n\tAccount Name:\t\taudittest23\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", "related": { "user": [ "Administrator", @@ -43,8 +43,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -71,7 +70,7 @@ "id": 1980 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2851", "task": "User Account Management" @@ -103,7 +102,7 @@ "log": { "level": "information" }, - "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", + "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-", "related": { "user": [ "Administrator", @@ -121,8 +120,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -149,7 +147,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2857", "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4727.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4727.golden.json index d1779d672d1f..7c0daddda1eb 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4727.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4727.golden.json @@ -42,7 +42,6 @@ "name": "WIN-41OB2LO92CR$" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -71,7 +70,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4105", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4728.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4728.golden.json index 1c5e5f81d93c..8003cd0b0192 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4728.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4728.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A member was added to a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was added to a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -51,7 +51,6 @@ } }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -80,7 +79,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4657", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4729.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4729.golden.json index 836f496a6344..4192234cfafa 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4729.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4729.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A member was removed from a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was removed from a security-enabled global group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -51,7 +51,6 @@ } }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -80,7 +79,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4665", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4730.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4730.golden.json index 951030babe63..9e1569a960de 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4730.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4730.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-enabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nDeleted Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled global group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nDeleted Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -42,7 +42,6 @@ "name": "Administrator" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -69,7 +68,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4670", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4731.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4731.golden.json index 2c2d9988fb59..04208917be62 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4731.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4731.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-enabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\ttest_group1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled local group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nNew Group:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\ttest_group1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -42,7 +42,6 @@ "name": "Administrator" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -71,7 +70,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4569", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4732.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4732.golden.json index 8d382bc8cc6e..676eb809a242 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4732.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4732.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was added to a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -51,7 +51,6 @@ } }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -80,7 +79,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4625", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4733.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4733.golden.json index 5bc1bdbe2d59..039f194b6ea2 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4733.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4733.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A member was removed from a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was removed from a security-enabled local group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -51,7 +51,6 @@ } }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -80,7 +79,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4627", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4734.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4734.golden.json index 2042cc2b9323..f787de71d20a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4734.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4734.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-enabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled local group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -42,7 +42,6 @@ "name": "Administrator" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -69,7 +68,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4630", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4735.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4735.golden.json index 4ad378e3040a..f714031bc222 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4735.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4735.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-enabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\ttest_group1v1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled local group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1111\n\tGroup Name:\t\ttest_group1v1\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\ttest_group1v1\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -42,7 +42,6 @@ "name": "Administrator" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -71,7 +70,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4628", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4737.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4737.golden.json index 7fdf3fb4589b..a975fff3e55d 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4737.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4737.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-enabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled global group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -42,7 +42,6 @@ "name": "Administrator" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -71,7 +70,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4668", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4738_Account_Changed.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4738_Account_Changed.golden.json index 025b1f20bca4..6b698d60b78c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4738_Account_Changed.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4738_Account_Changed.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\telastictest1\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:30:28\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x210\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t-\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\telastictest1\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:30:28\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x210\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t-\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator", @@ -43,18 +43,17 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { - "AccountExpires": "%%1794", + "AccountExpires": "\u003cnever\u003e", "AllowedToDelegateTo": "-", "DisplayName": "elastictest1", "Dummy": "-", - "HomeDirectory": "%%1793", - "HomePath": "%%1793", - "LogonHours": "%%1797", + "HomeDirectory": "\u003cvalue not set\u003e", + "HomePath": "\u003cvalue not set\u003e", + "LogonHours": "All", "NewUACList": [ "USER_NORMAL_ACCOUNT", "USER_DONT_EXPIRE_PASSWORD" @@ -64,9 +63,9 @@ "PasswordLastSet": "6/9/2019 10:30:28", "PrimaryGroupId": "513", "PrivilegeList": "-", - "ProfilePath": "%%1793", + "ProfilePath": "\u003cvalue not set\u003e", "SamAccountName": "elastictest1", - "ScriptPath": "%%1793", + "ScriptPath": "\u003cvalue not set\u003e", "SidHistory": "-", "SubjectDomainName": "WIN-41OB2LO92CR", "SubjectLogonId": "0x264b2", @@ -78,9 +77,9 @@ "UserAccountControl": [ "-" ], - "UserParameters": "%%1793", + "UserParameters": "\u003cvalue not set\u003e", "UserPrincipalName": "-", - "UserWorkstations": "%%1793" + "UserWorkstations": "\u003cvalue not set\u003e" }, "event_id": "4738", "keywords": [ @@ -96,7 +95,7 @@ "id": 1980 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2862", "task": "User Account Management" @@ -128,7 +127,7 @@ "log": { "level": "information" }, - "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\taudittest0609s\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:25:21\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x10\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t\n\t\t'Don't Expire Password' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A user account was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nChanged Attributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\taudittest0609s\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t6/9/2019 10:25:21\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowedToDelegateTo:\t-\n\tOld UAC Value:\t\t0x10\n\tNew UAC Value:\t\t0x210\n\tUser Account Control:\t\n\t\t'Don't Expire Password' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator", @@ -146,18 +145,17 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { - "AccountExpires": "%%1794", + "AccountExpires": "\u003cnever\u003e", "AllowedToDelegateTo": "-", "DisplayName": "audittest0609s", "Dummy": "-", - "HomeDirectory": "%%1793", - "HomePath": "%%1793", - "LogonHours": "%%1797", + "HomeDirectory": "\u003cvalue not set\u003e", + "HomePath": "\u003cvalue not set\u003e", + "LogonHours": "All", "NewUACList": [ "USER_NORMAL_ACCOUNT", "USER_DONT_EXPIRE_PASSWORD" @@ -167,9 +165,9 @@ "PasswordLastSet": "6/9/2019 10:25:21", "PrimaryGroupId": "513", "PrivilegeList": "-", - "ProfilePath": "%%1793", + "ProfilePath": "\u003cvalue not set\u003e", "SamAccountName": "audittest0609", - "ScriptPath": "%%1793", + "ScriptPath": "\u003cvalue not set\u003e", "SidHistory": "-", "SubjectDomainName": "WIN-41OB2LO92CR", "SubjectLogonId": "0x264b2", @@ -179,11 +177,11 @@ "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", "TargetUserName": "audittest0609", "UserAccountControl": [ - "2089" + "'Don't Expire Password' - Enabled" ], - "UserParameters": "%%1793", + "UserParameters": "\u003cvalue not set\u003e", "UserPrincipalName": "-", - "UserWorkstations": "%%1793" + "UserWorkstations": "\u003cvalue not set\u003e" }, "event_id": "4738", "keywords": [ @@ -199,7 +197,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2866", "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4740_Account_Locked_Out.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4740_Account_Locked_Out.golden.json index eaec5eb7104f..117bc6ecfc3c 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4740_Account_Locked_Out.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4740_Account_Locked_Out.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "A user account was locked out.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nAccount That Was Locked Out:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\nAdditional Information:\n\tCaller Computer Name:\tWIN-41OB2LO92CR", + "message": "A user account was locked out.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nAccount That Was Locked Out:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\nAdditional Information:\n\tCaller Computer Name:\tWIN-41OB2LO92CR", "related": { "user": [ "WIN-41OB2LO92CR$", @@ -43,8 +43,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -70,7 +69,7 @@ "id": 532 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2883", "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4754.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4754.golden.json index f01b564e6ec9..75e8b17da109 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4754.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4754.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-enabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\tTest_group3\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled universal group was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3\n\tGroup Domain:\t\tWLBEAT\n\nAttributes:\n\tSAM Account Name:\tTest_group3\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -42,7 +42,6 @@ "name": "Administrator" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -71,7 +70,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4676", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4755.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4755.golden.json index 7d41c2ec98d2..45aa9656b2b5 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4755.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4755.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-enabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled universal group was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nChanged Attributes:\n\tSAM Account Name:\t-\n\tSID History:\t\t-\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -42,7 +42,6 @@ "name": "Administrator" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -71,7 +70,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4685", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4756.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4756.golden.json index 29b96fbe24d2..d96febf2d1f9 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4756.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4756.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A member was added to a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tAccount Name:\t\tTest_group3v2\n\tAccount Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was added to a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tAccount Name:\t\tTest_group3v2\n\tAccount Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -51,7 +51,6 @@ } }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -80,7 +79,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4684", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4757.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4757.golden.json index 0193719b9a29..64018b473626 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4757.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4757.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A member was removed from a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A member was removed from a security-enabled universal group.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nMember:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tCN=Administrator,CN=Users,DC=wlbeat,DC=local\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -51,7 +51,6 @@ } }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -80,7 +79,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4686", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4758.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4758.golden.json index b27f572f3c2d..2c506ec72bbc 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4758.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4758.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-enabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A security-enabled universal group was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1113\n\tGroup Name:\t\tTest_group3v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -42,7 +42,6 @@ "name": "Administrator" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -69,7 +68,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4687", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4764.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4764.golden.json index ab0e757d0414..91d5ffba175a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4764.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4764.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A group’s type was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4A727\n\nChange Type:\t\t\tSecurity Enabled Universal Group Changed to Security Enabled Global Group.\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "A group’s type was changed.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x4a727\n\nChange Type:\t\t\tSecurity Enabled Universal Group Changed to Security Enabled Global Group.\n\nGroup:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1112\n\tGroup Name:\t\ttest_group2v2\n\tGroup Domain:\t\tWLBEAT\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator" @@ -42,7 +42,6 @@ "name": "Administrator" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -70,7 +69,7 @@ "id": 1664 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "4669", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4767_Account_Unlocked.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4767_Account_Unlocked.golden.json index a194a3ff534a..344e1c791536 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4767_Account_Unlocked.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4767_Account_Unlocked.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "A user account was unlocked.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", + "message": "A user account was unlocked.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR", "related": { "user": [ "Administrator", @@ -43,8 +43,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -70,7 +69,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2892", "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4781_Account_Renamed.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4781_Account_Renamed.golden.json index 0010cc0078c6..81ed745b2eee 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4781_Account_Renamed.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4781_Account_Renamed.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest0609\n\tNew Account Name:\taudittest06\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest0609\n\tNew Account Name:\taudittest06\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator", @@ -45,8 +45,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -74,7 +73,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2873", "task": "User Account Management" @@ -106,7 +105,7 @@ "log": { "level": "information" }, - "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest06\n\tNew Account Name:\taudittest0609\n\nAdditional Information:\n\tPrivileges:\t\t-", + "message": "The name of an account was changed:\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264b2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tOld Account Name:\taudittest06\n\tNew Account Name:\taudittest0609\n\nAdditional Information:\n\tPrivileges:\t\t-", "related": { "user": [ "Administrator", @@ -126,8 +125,7 @@ } }, "winlog": { - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "api": "wineventlog", + "activity_id": "{1200CE16-64B6-0000-0ED0-0012B664D501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -155,7 +153,7 @@ "id": 808 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2875", "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4798.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4798.golden.json index 460c9d3a84f2..95744e328f82 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4798.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4798.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nProcess Information:\n\tProcess ID:\t\t0x3f0\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe", + "message": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nUser:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nProcess Information:\n\tProcess ID:\t\t0x3f0\n\tProcess Name:\t\tC:\\Windows\\System32\\LogonUI.exe", "related": { "user": [ "WIN-41OB2LO92CR$", @@ -43,8 +43,7 @@ } }, "winlog": { - "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", - "api": "wineventlog", + "activity_id": "{C3FF3C1C-7DC1-0000-233E-FFC3C17DD501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -72,7 +71,7 @@ "id": 1740 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "2996", "task": "User Account Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4799.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4799.golden.json index 6473c013f42a..3ea261e3f824 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4799.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4799.golden.json @@ -30,7 +30,7 @@ "log": { "level": "information" }, - "message": "A security-enabled local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3E7\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nProcess Information:\n\tProcess ID:\t\t0x494\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe", + "message": "A security-enabled local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWORKGROUP\n\tLogon ID:\t\t0x3e7\n\nGroup:\n\tSecurity ID:\t\tS-1-5-32-544\n\tGroup Name:\t\tAdministrators\n\tGroup Domain:\t\tBuiltin\n\nProcess Information:\n\tProcess ID:\t\t0x494\n\tProcess Name:\t\tC:\\Windows\\System32\\svchost.exe", "related": { "user": [ "WIN-41OB2LO92CR$" @@ -42,8 +42,7 @@ "name": "WIN-41OB2LO92CR$" }, "winlog": { - "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", - "api": "wineventlog", + "activity_id": "{C3FF3C1C-7DC1-0000-233E-FFC3C17DD501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR", "event_data": { @@ -71,7 +70,7 @@ "id": 820 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "3002", "task": "Security Group Management" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4964.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4964.golden.json index e62ac7e2cd74..0105f55f0c77 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4964.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4964.golden.json @@ -25,7 +25,7 @@ "log": { "level": "information" }, - "message": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x1D22ED\n\tLogon GUID:\t{c25cdf73-2322-651f-f4fb-db862c0e03a8}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}", + "message": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x1d22ed\n\tLogon GUID:\t{C25CDF73-2322-651F-F4FB-DB862C0E03A8}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}", "related": { "user": [ "Administrator" @@ -37,8 +37,7 @@ "name": "Administrator" }, "winlog": { - "activity_id": "{af6b9825-ffd8-0000-2f9a-6bafd8ffd501}", - "api": "wineventlog", + "activity_id": "{AF6B9825-FFD8-0000-2F9A-6BAFD8FFD501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -49,7 +48,7 @@ "SubjectUserName": "WIN-41OB2LO92CR$", "SubjectUserSid": "S-1-5-18", "TargetDomainName": "WLBEAT", - "TargetLogonGuid": "{c25cdf73-2322-651f-f4fb-db862c0e03a8}", + "TargetLogonGuid": "{C25CDF73-2322-651F-F4FB-DB862C0E03A8}", "TargetLogonId": "0x1d22ed", "TargetUserName": "Administrator", "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" @@ -68,7 +67,7 @@ "id": 828 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "68259", "task": "Special Logon" @@ -100,7 +99,7 @@ "log": { "level": "information" }, - "message": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3E7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x7C0BE\n\tLogon GUID:\t{38fec9bc-577f-76f6-5d29-e0175ce19797}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-512}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-1007}", + "message": "Special groups have been assigned to a new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-18\n\tAccount Name:\t\tWIN-41OB2LO92CR$\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x3e7\n\tLogon GUID:\t{00000000-0000-0000-0000-000000000000}\n\nNew Logon:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWLBEAT\n\tLogon ID:\t\t0x7c0be\n\tLogon GUID:\t{38FEC9BC-577F-76F6-5D29-E0175CE19797}\n\tSpecial Groups Assigned:\t\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-512}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-519}\n\t\t%{S-1-5-21-101361758-2486510592-3018839910-1007}", "related": { "user": [ "Administrator" @@ -112,8 +111,7 @@ "name": "Administrator" }, "winlog": { - "activity_id": "{a22b4bf4-ffdc-0000-ee4d-2ba2dcffd501}", - "api": "wineventlog", + "activity_id": "{A22B4BF4-FFDC-0000-EE4D-2BA2DCFFD501}", "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", "event_data": { @@ -124,7 +122,7 @@ "SubjectUserName": "WIN-41OB2LO92CR$", "SubjectUserSid": "S-1-5-18", "TargetDomainName": "WLBEAT", - "TargetLogonGuid": "{38fec9bc-577f-76f6-5d29-e0175ce19797}", + "TargetLogonGuid": "{38FEC9BC-577F-76F6-5D29-E0175CE19797}", "TargetLogonId": "0x7c0be", "TargetUserName": "Administrator", "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" @@ -143,7 +141,7 @@ "id": 2608 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "68620", "task": "Special Logon" diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json index 6ad492a4179a..ad67510f4801 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json @@ -24,7 +24,7 @@ "log": { "level": "information" }, - "message": "A new process has been created.\n\nCreator Subject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nTarget Subject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nProcess Information:\n\tNew Process ID:\t\t0x11cc\n\tNew Process Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tToken Elevation Type:\t%%1937\n\tMandatory Label:\t\tS-1-16-12288\n\tCreator Process ID:\t0x122c\n\tCreator Process Name:\tC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\tProcess Command Line:\t\"C:\\Windows\\system32\\wevtutil.exe\" cl Security\n\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\n\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\n\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\n\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", + "message": "A new process has been created.\n\nCreator Subject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274a2\n\nTarget Subject:\n\tSecurity ID:\t\tS-1-0-0\n\tAccount Name:\t\t-\n\tAccount Domain:\t\t-\n\tLogon ID:\t\t0x0\n\nProcess Information:\n\tNew Process ID:\t\t0x11cc\n\tNew Process Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tToken Elevation Type:\tTokenElevationTypeFull (2)\n\tMandatory Label:\t\tS-1-16-12288\n\tCreator Process ID:\t0x122c\n\tCreator Process Name:\tC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\n\tProcess Command Line:\t\"C:\\Windows\\system32\\wevtutil.exe\" cl Security\n\nToken Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.\n\nType 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.\n\nType 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.\n\nType 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.", "process": { "args": [ "\"C:\\Windows\\system32\\wevtutil.exe\"", @@ -55,7 +55,6 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant", "event_data": { @@ -70,7 +69,7 @@ "TargetLogonId": "0x0", "TargetUserName": "-", "TargetUserSid": "S-1-0-0", - "TokenElevationType": "%%1937" + "TokenElevationType": "TokenElevationTypeFull (2)" }, "event_id": "4688", "keywords": [ @@ -86,7 +85,7 @@ "id": 5076 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "5010", "task": "Process Creation", diff --git a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4689_Process_Exited.golden.json b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4689_Process_Exited.golden.json index 5ed8e0d2dde9..fe343e8a273a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4689_Process_Exited.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4689_Process_Exited.golden.json @@ -24,7 +24,7 @@ "log": { "level": "information" }, - "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nProcess Information:\n\tProcess ID:\t0x1524\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274a2\n\nProcess Information:\n\tProcess ID:\t0x1524\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", "process": { "executable": "C:\\Windows\\System32\\wevtutil.exe", "name": "wevtutil.exe", @@ -41,7 +41,6 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant", "event_data": { @@ -65,7 +64,7 @@ "id": 1168 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "7538", "task": "Process Termination" @@ -96,7 +95,7 @@ "log": { "level": "information" }, - "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274F1\n\nProcess Information:\n\tProcess ID:\t0xf94\n\tProcess Name:\tC:\\Windows\\System32\\taskhostw.exe\n\tExit Status:\t0x0", + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274f1\n\nProcess Information:\n\tProcess ID:\t0xf94\n\tProcess Name:\tC:\\Windows\\System32\\taskhostw.exe\n\tExit Status:\t0x0", "process": { "executable": "C:\\Windows\\System32\\taskhostw.exe", "name": "taskhostw.exe", @@ -113,7 +112,6 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant", "event_data": { @@ -137,7 +135,7 @@ "id": 500 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "7542", "task": "Process Termination" @@ -168,7 +166,7 @@ "log": { "level": "information" }, - "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274A2\n\nProcess Information:\n\tProcess ID:\t0xac8\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", + "message": "A process has exited.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1610636575-2290000098-1654242922-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT\n\tLogon ID:\t\t0x274a2\n\nProcess Information:\n\tProcess ID:\t0xac8\n\tProcess Name:\tC:\\Windows\\System32\\wevtutil.exe\n\tExit Status:\t0x0", "process": { "executable": "C:\\Windows\\System32\\wevtutil.exe", "name": "wevtutil.exe", @@ -185,7 +183,6 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Security", "computer_name": "vagrant", "event_data": { @@ -209,7 +206,7 @@ "id": 5636 } }, - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "provider_name": "Microsoft-Windows-Security-Auditing", "record_id": "7544", "task": "Process Termination" diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json index be32a76383ef..f641be5635c3 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json @@ -30,6 +30,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -49,11 +50,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.239\nProcessGuid: {FA4A0DE6-E8A8-5D2F-0000-001094619900}\nProcessId: 0\nQueryName: go.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 go.microsoft.com.edgekey.net;type: 5 e11290.dspg.akamaiedge.net;::ffff:23.223.14.67;\nImage: C:\\Program Files\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "entity_id": "{FA4A0DE6-E8A8-5D2F-0000-001094619900}", "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 356 @@ -77,7 +79,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -88,9 +89,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "66", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -131,6 +133,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -150,11 +153,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.261\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: www.msn.com\nQueryStatus: 0\nQueryResults: type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -178,7 +182,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -189,9 +192,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "67", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -233,6 +237,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -252,11 +257,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.449\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: static-global-s-msn-com.akamaized.net\nQueryStatus: 0\nQueryResults: type: 5 a1999.dscg2.akamai.net;::ffff:23.50.53.192;::ffff:23.50.53.195;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -280,7 +286,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -291,9 +296,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "68", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -339,6 +345,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -358,11 +365,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.457\nProcessGuid: {FA4A0DE6-E8A8-5D2F-0000-001094619900}\nProcessId: 0\nQueryName: www.bing.com\nQueryStatus: 0\nQueryResults: type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\nImage: C:\\Program Files\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "entity_id": "{FA4A0DE6-E8A8-5D2F-0000-001094619900}", "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 356 @@ -387,7 +395,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -398,9 +405,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "69", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -441,6 +449,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -460,11 +469,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.494\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: linkmaker.itunes.apple.com\nQueryStatus: 0\nQueryResults: type: 5 linkmaker.itunes.apple.com.edgekey.net;type: 5 e4541.dsce9.akamaiedge.net;::ffff:23.64.104.249;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -488,7 +498,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -499,9 +508,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "70", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -549,6 +559,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -568,11 +579,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.810\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: confiant-integrations.global.ssl.fastly.net\nQueryStatus: 0\nQueryResults: ::ffff:151.101.1.194;::ffff:151.101.65.194;::ffff:151.101.129.194;::ffff:151.101.193.194;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -597,7 +609,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -608,9 +619,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "71", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -647,6 +659,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -666,11 +679,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.894\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: c.msn.com\nQueryStatus: 0\nQueryResults: type: 5 c.msn.com.nsatc.net;::ffff:20.36.253.92;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -693,7 +707,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -704,9 +717,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "72", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -752,6 +766,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -771,11 +786,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:01.948\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: c.bing.com\nQueryStatus: 0\nQueryResults: type: 5 c-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:13.107.21.200;::ffff:204.79.197.200;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -800,7 +816,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -811,9 +826,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "73", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -846,6 +862,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -865,11 +882,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.085\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: contextual.media.net\nQueryStatus: 0\nQueryResults: ::ffff:23.52.167.93;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -891,7 +909,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -902,9 +919,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "74", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -953,6 +971,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -972,11 +991,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.174\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: at.atwola.com\nQueryStatus: 0\nQueryResults: type: 5 glb-ads.atwola.adtechus.com;type: 5 cs670.wac.thetacdn.net;type: 5 cs670.lb.wac.apr-1b09e.edgecastdns.net;type: 5 cs935.wac.thetacdn.net;::ffff:152.195.32.120;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -1002,7 +1022,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -1013,9 +1032,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "75", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1096,6 +1116,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -1115,11 +1136,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.274\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: m.adnxs.com\nQueryStatus: 0\nQueryResults: type: 5 microsoft.geo.appnexusgslb.net;type: 5 m.anycast.adnxs.com;::ffff:204.13.192.56;::ffff:204.13.192.120;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -1151,7 +1173,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -1162,9 +1183,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "76", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1201,6 +1223,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -1220,11 +1243,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.291\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cms.analytics.yahoo.com\nQueryStatus: 0\nQueryResults: type: 5 spcms-global.pbp.gysm.yahoodns.net;::ffff:74.6.137.78;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -1247,7 +1271,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -1258,9 +1281,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "77", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1301,6 +1325,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -1320,11 +1345,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.413\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cvision.media.net\nQueryStatus: 0\nQueryResults: type: 5 cvision.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -1348,7 +1374,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -1359,9 +1384,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "78", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1407,6 +1433,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -1426,11 +1453,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.424\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: g.bing.com\nQueryStatus: 0\nQueryResults: type: 5 g-bing-com.a-0001.a-msedge.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -1455,7 +1483,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -1466,9 +1493,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "79", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1501,6 +1529,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -1520,11 +1549,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.427\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: lg3.media.net\nQueryStatus: 0\nQueryResults: ::ffff:23.52.167.93;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -1546,7 +1576,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -1557,9 +1586,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "80", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1606,6 +1636,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -1625,11 +1656,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.469\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: service.sp.advertising.com\nQueryStatus: 0\nQueryResults: type: 5 service.sp.aolp-ds-prd.aws.oath.cloud;::ffff:54.88.96.255;::ffff:34.233.100.168;::ffff:54.209.58.223;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -1654,7 +1686,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -1665,9 +1696,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "81", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1708,6 +1740,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -1727,11 +1760,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.485\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sb.scorecardresearch.com\nQueryStatus: 0\nQueryResults: type: 5 sb.scorecardresearch.com.edgekey.net;type: 5 e1879.e7.akamaiedge.net;::ffff:184.25.176.117;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -1755,7 +1789,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -1766,9 +1799,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "82", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1809,6 +1843,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -1828,11 +1863,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.500\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: otf.msn.com\nQueryStatus: 0\nQueryResults: type: 5 iceotf-prod-fe-tm.trafficmanager.net;type: 5 iceotf-prod-fe-eastus.cloudapp.net;::ffff:40.114.54.223;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -1856,7 +1892,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -1867,9 +1902,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "83", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1937,6 +1973,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -1956,11 +1993,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.580\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ping.chartbeat.net\nQueryStatus: 0\nQueryResults: ::ffff:35.171.101.225;::ffff:34.196.57.87;::ffff:34.194.164.46;::ffff:34.233.181.142;::ffff:34.194.167.169;::ffff:34.193.242.172;::ffff:34.234.152.11;::ffff:34.206.12.124;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -1989,7 +2027,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -2000,9 +2037,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "84", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2050,6 +2088,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -2069,11 +2108,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.628\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: clarium.freetls.fastly.net\nQueryStatus: 0\nQueryResults: ::ffff:151.101.194.79;::ffff:151.101.2.79;::ffff:151.101.66.79;::ffff:151.101.130.79;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -2098,7 +2138,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -2109,9 +2148,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "85", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2204,6 +2244,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -2223,11 +2264,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.633\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: nym1-ib.adnxs.com\nQueryStatus: 0\nQueryResults: ::ffff:68.67.178.252;::ffff:68.67.179.11;::ffff:68.67.179.228;::ffff:68.67.178.184;::ffff:204.13.192.141;::ffff:68.67.180.43;::ffff:68.67.179.23;::ffff:68.67.179.197;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -2261,7 +2303,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -2272,9 +2313,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "86", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2355,6 +2397,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -2374,11 +2417,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.716\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: eb2.3lift.com\nQueryStatus: 0\nQueryResults: type: 5 us-east-eb2.3lift.com;type: 5 dualstack.engagement-bus-prod-713264365.us-east-1.elb.amazonaws.com;::ffff:34.196.86.129;::ffff:34.233.250.110;::ffff:18.209.244.108;::ffff:34.224.204.11;::ffff:34.237.44.255;::ffff:3.210.231.21;::ffff:54.172.198.255;::ffff:34.199.186.227;192.5.6.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -2410,7 +2454,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -2421,9 +2464,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "87", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2509,6 +2553,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -2528,11 +2573,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.727\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: px.ads.linkedin.com\nQueryStatus: 0\nQueryResults: type: 5 mix.linkedin.com;type: 5 any-na.mix.linkedin.com;::ffff:108.174.10.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -2565,7 +2611,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -2576,9 +2621,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "88", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2629,6 +2675,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -2648,11 +2695,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.733\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: login.live.com\nQueryStatus: 0\nQueryResults: type: 5 login.msa.msidentity.com;type: 5 lgin.msa.trafficmanager.net;::ffff:40.90.23.239;::ffff:40.90.23.213;::ffff:40.90.23.154;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -2678,7 +2726,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -2689,9 +2736,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "89", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2779,6 +2827,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -2798,11 +2847,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.792\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dis.criteo.com\nQueryStatus: 0\nQueryResults: ::ffff:74.119.119.150;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -2835,7 +2885,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -2846,9 +2895,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "90", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2939,6 +2989,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -2958,11 +3009,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.792\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ib.adnxs.com\nQueryStatus: 0\nQueryResults: type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.180.12;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -2996,7 +3048,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -3007,9 +3058,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "91", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3046,6 +3098,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -3065,11 +3118,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.809\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cm.g.doubleclick.net\nQueryStatus: 0\nQueryResults: type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -3092,7 +3146,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -3103,9 +3156,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "92", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3187,6 +3241,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -3206,11 +3261,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.821\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: match.adsrvr.org\nQueryStatus: 0\nQueryResults: type: 5 match-975362022.us-east-1.elb.amazonaws.com;::ffff:54.208.129.24;::ffff:54.175.5.93;::ffff:52.86.210.96;::ffff:3.93.252.59;::ffff:54.86.97.130;::ffff:34.194.239.194;::ffff:3.94.67.102;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -3242,7 +3298,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -3253,9 +3308,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "93", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3296,6 +3352,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -3315,11 +3372,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.821\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ssum-sec.casalemedia.com\nQueryStatus: 0\nQueryResults: type: 5 ssum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -3343,7 +3401,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -3354,9 +3411,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "94", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3438,6 +3496,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -3457,11 +3516,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.828\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: protected-by.clarium.io\nQueryStatus: 0\nQueryResults: type: 5 adserver-clarium-446793891.us-east-1.elb.amazonaws.com;::ffff:18.204.130.216;::ffff:18.209.246.43;::ffff:107.23.153.61;::ffff:18.235.141.27;::ffff:3.210.79.248;::ffff:18.209.146.43;::ffff:18.210.64.206;::ffff:18.214.161.226;192.5.6.30;2001:503:a83e::2:30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -3493,7 +3553,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -3504,9 +3563,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "95", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3543,6 +3603,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -3562,11 +3623,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.838\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pagead2.googlesyndication.com\nQueryStatus: 0\nQueryResults: type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -3589,7 +3651,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -3600,9 +3661,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "96", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3639,6 +3701,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -3658,11 +3721,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.839\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: googleads.g.doubleclick.net\nQueryStatus: 0\nQueryResults: type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -3685,7 +3749,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -3696,9 +3759,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "97", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3774,6 +3838,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -3793,11 +3858,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.841\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pixel.advertising.com\nQueryStatus: 0\nQueryResults: type: 5 prod.ups-adcom.aolp-ds-prd.aws.oath.cloud;type: 5 prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud;::ffff:52.22.184.73;::ffff:54.152.30.174;::ffff:3.213.70.197;::ffff:54.158.57.141;::ffff:52.6.39.34;::ffff:52.0.113.251;::ffff:3.213.8.28;::ffff:3.215.246.105;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -3828,7 +3894,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -3839,9 +3904,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "98", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -3906,6 +3972,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -3925,11 +3992,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.844\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: onevideosync.uplynk.com\nQueryStatus: 0\nQueryResults: type: 5 uplynk.adaptv.advertising.com;type: 5 uplynk-geo.adap.tv;type: 5 uplynk-beacon-newvpc-1603485991.us-east-1.elb.amazonaws.com;::ffff:54.210.214.197;::ffff:52.202.202.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -3958,7 +4026,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -3969,9 +4036,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "99", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4008,6 +4076,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -4027,11 +4096,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:02.956\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ad.turn.com\nQueryStatus: 0\nQueryResults: type: 5 ad.turn.com.akadns.net;::ffff:50.116.194.21;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -4054,7 +4124,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -4065,9 +4134,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "100", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4139,6 +4209,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -4158,11 +4229,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.005\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ups.analytics.yahoo.com\nQueryStatus: 0\nQueryResults: type: 5 prod.ups-yahoo.aolp-ds-prd.aws.oath.cloud;::ffff:34.225.20.218;::ffff:3.216.14.125;::ffff:52.200.28.150;::ffff:3.216.103.132;::ffff:52.4.86.222;::ffff:52.21.200.160;::ffff:3.216.249.238;::ffff:3.94.175.146;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -4192,7 +4264,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -4203,9 +4274,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "101", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4292,6 +4364,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -4311,11 +4384,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.070\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pm.w55c.net\nQueryStatus: 0\nQueryResults: type: 5 dxedge-prod-lb-946522505.us-east-1.elb.amazonaws.com;::ffff:34.237.248.89;::ffff:35.153.21.25;::ffff:52.200.238.112;::ffff:52.206.93.38;::ffff:34.227.35.137;::ffff:35.169.96.208;::ffff:52.22.206.42;::ffff:52.201.81.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -4348,7 +4422,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -4359,9 +4432,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "102", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4449,6 +4523,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -4468,11 +4543,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.093\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cm.eyereturn.com\nQueryStatus: 0\nQueryResults: ::ffff:35.186.239.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -4505,7 +4581,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -4516,9 +4591,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "103", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4555,6 +4631,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -4574,11 +4651,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.099\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: www.googletagservices.com\nQueryStatus: 0\nQueryResults: type: 5 pagead46.l.doubleclick.net;::ffff:172.217.10.66;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -4601,7 +4679,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -4612,9 +4689,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "104", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4701,6 +4779,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -4720,11 +4799,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.107\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cm.adgrx.com\nQueryStatus: 0\nQueryResults: type: 5 rtb.adgrx.com;::ffff:173.231.178.117;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -4757,7 +4837,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -4768,9 +4847,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "105", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4851,6 +4931,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -4870,11 +4951,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.107\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: csm2waycm-atl.netmng.com\nQueryStatus: 0\nQueryResults: type: 5 j2waycm.netmng.com;type: 5 j2waycm-us-wdc.netmng.com;::ffff:104.193.83.156;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -4906,7 +4988,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -4917,9 +4998,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "106", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -4956,6 +5038,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -4975,11 +5058,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.112\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pr-bh.ybp.yahoo.com\nQueryStatus: 0\nQueryResults: type: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:72.30.2.182;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -5002,7 +5086,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -5013,9 +5096,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "107", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5048,6 +5132,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -5067,11 +5152,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.113\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ps.eyeota.net\nQueryStatus: 0\nQueryResults: ::ffff:3.83.220.223;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -5093,7 +5179,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -5104,9 +5189,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "108", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5156,6 +5242,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -5175,11 +5262,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.146\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: idpix.media6degrees.com\nQueryStatus: 0\nQueryResults: type: 5 idpix.media6degrees.com.cdn.cloudflare.net;type: 5 map.media6degrees.com;type: 5 map.media6degrees.com.cdn.cloudflare.net;::ffff:204.2.197.201;::ffff:204.2.197.211;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -5205,7 +5293,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -5216,9 +5303,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "109", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5295,6 +5383,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -5314,11 +5403,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.146\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tpc.googlesyndication.com\nQueryStatus: 0\nQueryResults: type: 5 pagead-googlehosted.l.google.com;::ffff:172.217.10.1;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -5349,7 +5439,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -5360,9 +5449,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "110", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5443,6 +5533,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -5462,11 +5553,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.182\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: image2.pubmatic.com\nQueryStatus: 0\nQueryResults: type: 5 pug44000nfc.pubmatic.com;type: 5 pug44000nf.pubmatic.com;::ffff:162.248.19.147;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -5498,7 +5590,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -5509,9 +5600,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "111", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5556,6 +5648,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -5575,11 +5668,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.183\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sam.msn.com\nQueryStatus: 0\nQueryResults: type: 5 www.msn.com;type: 5 www-msn-com.a-0003.a-msedge.net;type: 5 a-0003.a-msedge.net;::ffff:204.79.197.203;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -5604,7 +5698,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -5615,9 +5708,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "112", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5705,6 +5799,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -5724,11 +5819,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.222\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.sca1b.amazontrust.com\nQueryStatus: 0\nQueryResults: ::ffff:52.85.89.250;::ffff:52.85.89.94;::ffff:52.85.89.22;::ffff:52.85.89.139;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -5761,7 +5857,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -5772,9 +5867,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "113", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5820,6 +5916,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -5839,11 +5936,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.271\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: c1.adform.net\nQueryStatus: 0\nQueryResults: type: 5 track.adformnet.akadns.net;type: 5 track-us.adformnet.akadns.net;::ffff:185.167.164.43;::ffff:185.167.164.42;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -5868,7 +5966,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -5879,9 +5976,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "114", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -5947,6 +6045,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -5966,11 +6065,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.271\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: urs.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-southcentral-2-fe.southcentralus.cloudapp.azure.com;::ffff:40.84.140.84;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -5999,7 +6099,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -6010,9 +6109,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "115", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6053,6 +6153,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -6072,11 +6173,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.290\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dsum-sec.casalemedia.com\nQueryStatus: 0\nQueryResults: type: 5 dsum-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -6100,7 +6202,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -6111,9 +6212,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "116", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6150,6 +6252,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -6169,11 +6272,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.292\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.godaddy.com\nQueryStatus: 0\nQueryResults: type: 5 ocsp.godaddy.com.akadns.net;::ffff:72.167.239.239;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -6196,7 +6300,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -6207,9 +6310,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "117", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6233,6 +6337,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -6252,11 +6357,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.315\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: googleads.g.doubleclick.net\nQueryStatus: 9701\nQueryResults: \nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -6275,7 +6381,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -6286,9 +6391,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "118", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6312,6 +6418,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -6331,11 +6438,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.315\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tpc.googlesyndication.com\nQueryStatus: 9701\nQueryResults: \nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -6354,7 +6462,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -6365,9 +6472,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "119", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6449,6 +6557,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -6468,11 +6577,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.333\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.usertrust.com\nQueryStatus: 0\nQueryResults: type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -6504,7 +6614,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -6515,9 +6624,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "120", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6563,6 +6673,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -6582,11 +6693,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.343\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: isrg.trustid.ocsp.identrust.com\nQueryStatus: 0\nQueryResults: type: 5 isrg.trustid.ocsp.identrust.com.edgesuite.net;type: 5 a279.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.176;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -6611,7 +6723,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -6622,9 +6733,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "121", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6661,6 +6773,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -6680,11 +6793,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.391\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ad.doubleclick.net\nQueryStatus: 0\nQueryResults: type: 5 dart.l.doubleclick.net;::ffff:172.217.6.198;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -6707,7 +6821,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -6718,9 +6831,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "122", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6802,6 +6916,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -6821,11 +6936,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.393\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.sectigo.com\nQueryStatus: 0\nQueryResults: type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -6857,7 +6973,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -6868,9 +6983,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "123", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -6916,6 +7032,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -6935,11 +7052,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.468\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.int-x3.letsencrypt.org\nQueryStatus: 0\nQueryResults: type: 5 ocsp.int-x3.letsencrypt.org.edgesuite.net;type: 5 a771.dscq.akamai.net;::ffff:23.50.53.179;::ffff:23.50.53.177;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -6964,7 +7082,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -6975,9 +7092,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "124", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -7059,6 +7177,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -7078,11 +7197,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.581\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.pki.goog\nQueryStatus: 0\nQueryResults: type: 5 pki-goog.l.google.com;::ffff:172.217.12.195;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -7114,7 +7234,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -7125,9 +7244,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "125", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -7164,6 +7284,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -7183,11 +7304,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.872\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: googleads4.g.doubleclick.net\nQueryStatus: 0\nQueryResults: type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -7210,7 +7332,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -7221,9 +7342,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "126", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -7275,6 +7397,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -7294,11 +7417,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.889\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: images.taboola.com\nQueryStatus: 0\nQueryResults: type: 5 f2.taboola.map.fastly.net;::ffff:151.101.2.2;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -7324,7 +7448,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -7335,9 +7458,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "127", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -7389,6 +7513,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -7408,11 +7533,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.890\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: api-s2s.taboola.com\nQueryStatus: 0\nQueryResults: type: 5 f2.taboola.map.fastly.net;::ffff:151.101.66.2;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -7438,7 +7564,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -7449,9 +7574,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "128", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -7489,6 +7615,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -7508,11 +7635,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.892\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: x.bidswitch.net\nQueryStatus: 0\nQueryResults: ::ffff:35.231.30.22;::ffff:35.196.212.198;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -7535,7 +7663,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -7546,9 +7673,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "129", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -7630,6 +7758,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -7649,11 +7778,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.894\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pixel.adsafeprotected.com\nQueryStatus: 0\nQueryResults: type: 5 anycast.pixel.adsafeprotected.com;::ffff:199.166.0.26;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -7685,7 +7815,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -7696,9 +7825,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "130", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -7785,6 +7915,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -7804,11 +7935,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.894\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ml314.com\nQueryStatus: 0\nQueryResults: ::ffff:35.171.48.231;::ffff:52.206.107.32;::ffff:35.175.80.59;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -7841,7 +7973,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -7852,9 +7983,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "131", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -7942,6 +8074,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -7961,11 +8094,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.902\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: aa.agkn.com\nQueryStatus: 0\nQueryResults: ::ffff:156.154.200.36;::ffff:63.251.88.56;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -7998,7 +8132,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -8009,9 +8142,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "132", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -8093,6 +8227,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -8112,11 +8247,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.911\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: s0.2mdn.net\nQueryStatus: 0\nQueryResults: type: 5 s0-2mdn-net.l.google.com;::ffff:172.217.10.134;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -8148,7 +8284,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -8159,9 +8294,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "133", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -8207,6 +8343,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -8226,11 +8363,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.911\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: b.scorecardresearch.com\nQueryStatus: 0\nQueryResults: type: 5 b.scorecardresearch.com.edgesuite.net;type: 5 a1294.w20.akamai.net;::ffff:23.50.53.195;::ffff:23.50.53.185;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -8255,7 +8393,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -8266,9 +8403,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "134", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -8320,6 +8458,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -8339,11 +8478,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:03.921\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: edw.edmunds.com\nQueryStatus: 0\nQueryResults: type: 5 f2.shared.global.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -8369,7 +8509,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -8380,9 +8519,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "135", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -8419,6 +8559,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -8438,11 +8579,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.101\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.digicert.com\nQueryStatus: 0\nQueryResults: type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -8465,7 +8607,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -8476,9 +8617,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "136", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -8560,6 +8702,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -8579,11 +8722,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.137\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pre-usermatch.targeting.unrulymedia.com\nQueryStatus: 0\nQueryResults: type: 5 usermatch.targeting.unrulymedia.com;::ffff:35.167.55.0;::ffff:52.24.219.168;::ffff:52.43.21.209;::ffff:54.200.225.167;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -8615,7 +8759,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -8626,9 +8769,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "137", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -8720,6 +8864,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -8739,11 +8884,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.141\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: farm.plista.com\nQueryStatus: 0\nQueryResults: type: 5 farm-hetzner.plista.com;::ffff:144.76.67.119;::ffff:148.251.77.207;::ffff:148.251.15.115;::ffff:176.9.103.51;::ffff:88.198.208.110;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -8777,7 +8923,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -8788,9 +8933,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "138", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -8871,6 +9017,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -8890,11 +9037,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.168\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: beacon.krxd.net\nQueryStatus: 0\nQueryResults: type: 5 beacon-n-ash.lb.krxd.net;type: 5 beacon-17-537698933.us-east-1.elb.amazonaws.com;::ffff:50.17.180.35;::ffff:50.19.103.40;::ffff:50.19.210.19;::ffff:50.19.117.149;::ffff:50.19.222.244;::ffff:50.19.222.88;::ffff:50.19.81.100;::ffff:54.204.10.30;192.5.6.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -8926,7 +9074,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -8937,9 +9084,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "139", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -8980,6 +9128,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -8999,11 +9148,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.169\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dsum.casalemedia.com\nQueryStatus: 0\nQueryResults: type: 5 dsum.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.52.162.21;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -9027,7 +9177,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -9038,9 +9187,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "140", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -9127,6 +9277,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -9146,11 +9297,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.169\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync.mathtag.com\nQueryStatus: 0\nQueryResults: type: 5 pixel-origin.mathtag.com;::ffff:216.200.232.235;::ffff:216.200.232.201;::ffff:74.121.138.26;::ffff:216.200.232.185;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -9183,7 +9335,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -9194,9 +9345,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "141", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -9237,6 +9389,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -9256,11 +9409,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.184\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: status.rapidssl.com\nQueryStatus: 0\nQueryResults: type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -9284,7 +9438,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -9295,9 +9448,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "142", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -9384,6 +9538,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -9403,11 +9558,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.184\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync.extend.tv\nQueryStatus: 0\nQueryResults: type: 5 cookiesyncing-1395500543.us-east-1.elb.amazonaws.com;::ffff:34.197.195.131;::ffff:34.192.39.82;::ffff:34.199.231.204;::ffff:34.199.113.81;::ffff:34.197.3.157;::ffff:34.205.112.156;::ffff:34.195.29.8;::ffff:34.201.247.123;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -9440,7 +9596,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -9451,9 +9606,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "143", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -9535,6 +9691,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -9554,11 +9711,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.185\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.comodoca.com\nQueryStatus: 0\nQueryResults: type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -9590,7 +9748,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -9601,9 +9758,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "144", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -9663,6 +9821,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -9682,11 +9841,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.189\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync-tm.everesttech.net\nQueryStatus: 0\nQueryResults: type: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;::ffff:151.101.194.49;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -9714,7 +9874,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -9725,9 +9884,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "145", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -9815,6 +9975,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -9834,11 +9995,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.237\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: idsync.rlcdn.com\nQueryStatus: 0\nQueryResults: ::ffff:34.95.92.78;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -9871,7 +10033,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -9882,9 +10043,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "146", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -9946,6 +10108,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -9965,11 +10128,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.274\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cm.adform.net\nQueryStatus: 0\nQueryResults: type: 5 track-eu.adformnet.akadns.net;::ffff:37.157.2.239;::ffff:37.157.6.253;::ffff:37.157.2.238;::ffff:37.157.4.25;::ffff:37.157.4.24;::ffff:37.157.6.247;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -9997,7 +10161,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -10008,9 +10171,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "147", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -10043,6 +10207,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -10062,11 +10227,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.302\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dm.hybrid.ai\nQueryStatus: 0\nQueryResults: ::ffff:37.18.16.16;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -10088,7 +10254,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -10099,9 +10264,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "148", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -10183,6 +10349,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -10202,11 +10369,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.304\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: static.adsafeprotected.com\nQueryStatus: 0\nQueryResults: type: 5 anycast.static.adsafeprotected.com;::ffff:199.166.0.32;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -10238,7 +10406,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -10249,9 +10416,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "149", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -10303,6 +10471,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -10322,11 +10491,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.322\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: trc.taboola.com\nQueryStatus: 0\nQueryResults: type: 5 f2.taboola.map.fastly.net;::ffff:151.101.130.2;::ffff:151.101.194.2;::ffff:151.101.2.2;::ffff:151.101.66.2;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -10352,7 +10522,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -10363,9 +10532,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "150", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -10397,6 +10567,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -10416,11 +10587,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.379\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pippio.com\nQueryStatus: 0\nQueryResults: ::ffff:107.178.254.65;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -10442,7 +10614,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -10453,9 +10624,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "151", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -10537,6 +10709,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -10556,11 +10729,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.482\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pixel-sync.sitescout.com\nQueryStatus: 0\nQueryResults: type: 5 pixel-a.sitescout.com;::ffff:209.15.36.34;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -10592,7 +10766,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -10603,9 +10776,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "152", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -10688,6 +10862,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -10707,11 +10882,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.502\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: prod.y-medialink.com\nQueryStatus: 0\nQueryResults: ::ffff:35.186.202.217;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -10743,7 +10919,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -10754,9 +10929,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "153", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -10818,6 +10994,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -10837,11 +11014,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.507\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: jadserve.postrelease.com\nQueryStatus: 0\nQueryResults: type: 5 jadserve.postrelease.com.akadns.net;::ffff:54.80.117.178;::ffff:3.217.22.176;::ffff:35.153.215.15;::ffff:52.207.54.164;::ffff:52.204.186.237;::ffff:52.86.46.105;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -10869,7 +11047,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -10880,9 +11057,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "154", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -10964,6 +11142,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -10983,11 +11162,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.508\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: appnexus-partners.tremorhub.com\nQueryStatus: 0\nQueryResults: type: 5 partners-1732315393.us-east-1.elb.amazonaws.com;::ffff:107.21.43.184;::ffff:54.164.220.86;::ffff:52.72.172.174;::ffff:3.209.65.250;::ffff:3.94.51.187;::ffff:34.193.211.130;::ffff:18.214.47.10;::ffff:18.214.151.246;192.5.6.30;2001:503:a83e::2:30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -11019,7 +11199,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -11030,9 +11209,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "155", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -11103,6 +11283,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -11122,11 +11303,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.531\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: x.dlx.addthis.com\nQueryStatus: 0\nQueryResults: type: 5 gtm13.nexac.com;type: 5 ad2deadfb5fbf11e9872302ad9419486-194325762.us-east-1.elb.amazonaws.com;::ffff:107.21.14.70;::ffff:107.23.33.163;::ffff:23.22.192.59;::ffff:100.24.96.238;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -11156,7 +11338,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -11167,9 +11348,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "156", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -11240,6 +11422,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -11259,11 +11442,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.532\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dh.serving-sys.com\nQueryStatus: 0\nQueryResults: type: 5 haproxy-dmp.sizmdx.com;type: 5 dmp-prod-haproxyd-14y2amas34vrd-330219680.us-east-1.elb.amazonaws.com;::ffff:18.205.112.71;::ffff:50.19.40.146;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -11293,7 +11477,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -11304,9 +11487,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "157", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -11398,6 +11582,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -11417,11 +11602,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.534\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: match.sharethrough.com\nQueryStatus: 0\nQueryResults: type: 5 match-us-east-1.sharethrough.com;::ffff:52.55.160.246;::ffff:3.211.67.240;::ffff:35.173.61.59;::ffff:34.233.179.235;::ffff:34.228.105.237;::ffff:52.7.23.213;::ffff:52.201.177.113;::ffff:34.235.70.251;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -11455,7 +11641,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -11466,9 +11651,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "158", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -11551,6 +11737,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -11570,11 +11757,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.601\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tags.rd.linksynergy.com\nQueryStatus: 0\nQueryResults: ::ffff:35.241.16.233;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -11606,7 +11794,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -11617,9 +11804,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "159", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -11695,6 +11883,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -11714,11 +11903,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.604\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: rtb-csync.smartadserver.com\nQueryStatus: 0\nQueryResults: type: 5 2-01-275d-002d.cdx.cedexis.net;type: 5 rtb-csync-tmk.smartadserver.com;::ffff:199.187.193.166;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -11749,7 +11939,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -11760,9 +11949,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "160", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -11844,6 +12034,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -11863,11 +12054,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.621\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sc.iasds01.com\nQueryStatus: 0\nQueryResults: type: 5 anycast.sc.iasds01.com;::ffff:199.166.0.200;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -11899,7 +12091,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -11910,9 +12101,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "161", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -11994,6 +12186,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -12013,11 +12206,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.822\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dt.adsafeprotected.com\nQueryStatus: 0\nQueryResults: type: 5 sjedt.adsafeprotected.com;::ffff:104.244.38.20;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -12049,7 +12243,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -12060,9 +12253,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "162", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -12103,6 +12297,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -12122,11 +12317,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.822\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: status.thawte.com\nQueryStatus: 0\nQueryResults: type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -12150,7 +12346,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -12161,9 +12356,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "163", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -12243,6 +12439,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -12262,11 +12459,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.860\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ads.stickyadstv.com\nQueryStatus: 0\nQueryResults: type: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 wlb1.ads.stickyadstv.com.akadns.net;type: 5 fp4.ads.stickyadstv.com.akadns.net;::ffff:38.134.110.101;::ffff:38.134.110.143;::ffff:38.134.110.141;::ffff:38.134.110.171;::ffff:38.134.110.177;::ffff:38.134.110.115;::ffff:38.134.110.104;::ffff:38.134.110.114;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -12298,7 +12496,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -12309,9 +12506,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "164", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -12352,6 +12550,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -12371,11 +12570,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.904\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: hbx.media.net\nQueryStatus: 0\nQueryResults: type: 5 hbx.media.net.edgekey.net;type: 5 e607.d.akamaiedge.net;::ffff:23.52.167.93;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -12399,7 +12599,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -12410,9 +12609,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "165", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -12464,6 +12664,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -12483,11 +12684,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:04.911\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: match.taboola.com\nQueryStatus: 0\nQueryResults: type: 5 trc.taboola.map.fastly.net;::ffff:151.101.194.49;::ffff:151.101.2.49;::ffff:151.101.66.49;::ffff:151.101.130.49;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -12513,7 +12715,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -12524,9 +12725,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "166", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -12568,6 +12770,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -12587,11 +12790,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:06.056\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: img-s-msn-com.akamaized.net\nQueryStatus: 0\nQueryResults: type: 5 a1834.dspg2.akamai.net;::ffff:23.50.53.185;::ffff:23.50.53.194;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -12615,7 +12819,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -12626,9 +12829,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "167", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -12670,6 +12874,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -12689,11 +12894,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:06.064\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: static-entertainment-eus-s-msn-com.akamaized.net\nQueryStatus: 0\nQueryResults: type: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -12717,7 +12923,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -12728,9 +12933,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "168", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -12771,6 +12977,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -12790,11 +12997,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:06.178\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: radarmaps.weather.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 radarmaps.weather.microsoft.com.edgekey.net;type: 5 e15275.g.akamaiedge.net;::ffff:23.217.149.91;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -12818,7 +13026,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -12829,9 +13036,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "169", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -12873,6 +13081,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -12892,11 +13101,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:06.455\nProcessGuid: {FA4A0DE6-E8A8-5D2F-0000-001094619900}\nProcessId: 0\nQueryName: static-entertainment-eus-s-msn-com.akamaized.net\nQueryStatus: 0\nQueryResults: type: 5 a1505.g2.akamai.net;::ffff:23.50.53.194;::ffff:23.50.53.186;\nImage: C:\\Program Files\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "entity_id": "{FA4A0DE6-E8A8-5D2F-0000-001094619900}", "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 356 @@ -12920,7 +13130,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -12931,9 +13140,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "170", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -12970,6 +13180,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -12989,11 +13200,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:06.494\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tag.sp.advertising.com\nQueryStatus: 0\nQueryResults: type: 5 cs747173190.wac.omegacdn.net;::ffff:152.195.32.163;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -13016,7 +13228,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -13027,9 +13238,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "171", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -13075,6 +13287,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -13094,11 +13307,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:06.567\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: www.bing.com\nQueryStatus: 0\nQueryResults: type: 5 a-0001.a-afdentry.net.trafficmanager.net;type: 5 dual-a-0001.a-msedge.net;::ffff:204.79.197.200;::ffff:13.107.21.200;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -13123,7 +13337,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -13134,9 +13347,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "172", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -13177,6 +13391,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -13196,11 +13411,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.228\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cdn.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -13224,7 +13440,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -13235,9 +13450,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "173", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -13282,6 +13498,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -13301,11 +13518,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.357\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cdn3.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 cdn.doubleverify.com;type: 5 akacdn.doubleverify.com.edgekey.net;type: 5 e17513.d.akamaiedge.net;::ffff:23.52.164.109;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -13330,7 +13548,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -13341,9 +13558,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "174", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -13384,6 +13602,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -13403,11 +13622,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.721\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: rtb0.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 bs-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -13431,7 +13651,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -13442,9 +13661,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "175", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -13485,6 +13705,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -13504,11 +13725,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.774\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dev.virtualearth.net\nQueryStatus: 0\nQueryResults: type: 5 platform.maps.glbdns2.microsoft.com;type: 5 fe-bmplatform-prod-atm.trafficmanager.net;::ffff:20.36.236.157;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -13532,7 +13754,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -13543,9 +13764,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "176", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -13586,6 +13808,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -13605,11 +13828,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.847\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: t.ssl.ak.dynamic.tiles.virtualearth.net\nQueryStatus: 0\nQueryResults: type: 5 t.ssl.ak.dynamic.tiles.virtualearth.net.edgekey.net;type: 5 e7622.g.akamaiedge.net;::ffff:23.52.161.238;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -13633,7 +13857,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -13644,9 +13867,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "177", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -13734,6 +13958,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -13753,11 +13978,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.943\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: rp.gwallet.com\nQueryStatus: 0\nQueryResults: ::ffff:74.217.253.61;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -13790,7 +14016,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -13801,9 +14026,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "178", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -13855,6 +14081,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -13874,11 +14101,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.945\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ads.yahoo.com\nQueryStatus: 0\nQueryResults: type: 5 fo-fd-world-new.yax.gysm.yahoodns.net;::ffff:98.139.225.43;::ffff:98.138.49.44;::ffff:72.30.3.43;::ffff:216.155.194.56;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -13904,7 +14132,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -13915,9 +14142,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "179", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -13960,6 +14188,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -13979,11 +14208,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.954\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: um.simpli.fi\nQueryStatus: 0\nQueryResults: ::ffff:169.55.104.49;::ffff:169.60.66.35;::ffff:169.61.103.241;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -14007,7 +14237,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -14018,9 +14247,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "180", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -14103,6 +14333,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -14122,11 +14353,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.955\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: mpp.vindicosuite.com\nQueryStatus: 0\nQueryResults: ::ffff:35.186.236.204;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -14158,7 +14390,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -14169,9 +14400,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "181", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -14204,6 +14436,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -14223,11 +14456,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.955\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync.1rx.io\nQueryStatus: 0\nQueryResults: ::ffff:8.41.222.152;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -14249,7 +14483,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -14260,9 +14493,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "182", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -14303,6 +14537,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -14322,11 +14557,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:07.956\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync.teads.tv\nQueryStatus: 0\nQueryResults: type: 5 sync.teads.tv.edgekey.net;type: 5 e9957.g.akamaiedge.net;::ffff:23.52.160.7;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -14350,7 +14586,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -14361,9 +14596,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "183", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -14450,6 +14686,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -14469,11 +14706,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.019\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: s.thebrighttag.com\nQueryStatus: 0\nQueryResults: type: 5 td.thebrighttag.com;::ffff:3.15.109.176;::ffff:52.15.225.252;::ffff:3.18.121.79;::ffff:3.15.101.187;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -14506,7 +14744,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -14517,9 +14754,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "184", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -14556,6 +14794,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -14575,11 +14814,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.050\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: t.a3cloud.net\nQueryStatus: 0\nQueryResults: type: 5 d386jaag4hn9zl.cloudfront.net;::ffff:54.192.55.189;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -14602,7 +14842,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -14613,9 +14852,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "186", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -14656,6 +14896,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -14675,11 +14916,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.070\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tps618.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -14703,7 +14945,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -14714,9 +14955,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "187", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -14801,6 +15043,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -14820,11 +15063,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.090\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: dpm.demdex.net\nQueryStatus: 0\nQueryResults: type: 5 gslb-2.demdex.net;type: 5 edge-va6.demdex.net;type: 5 dcs-edge-va6-802167536.us-east-1.elb.amazonaws.com;::ffff:54.157.69.185;::ffff:18.209.139.81;::ffff:18.233.36.36;::ffff:52.54.198.81;::ffff:52.55.201.28;::ffff:18.210.34.44;::ffff:52.72.163.149;::ffff:18.232.198.130;192.5.6.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -14857,7 +15101,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -14868,9 +15111,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "188", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -14961,6 +15205,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -14980,11 +15225,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.308\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: secure.adnxs.com\nQueryStatus: 0\nQueryResults: type: 5 g.geogslb.com;type: 5 ib.anycast.adnxs.com;::ffff:68.67.179.228;::ffff:68.67.180.44;::ffff:204.13.192.141;::ffff:68.67.178.230;::ffff:68.67.178.252;::ffff:68.67.179.23;::ffff:68.67.179.232;::ffff:68.67.180.12;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -15018,7 +15264,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -15029,9 +15274,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "189", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -15072,6 +15318,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -15091,11 +15338,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.478\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tps.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -15119,7 +15367,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -15130,9 +15377,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "190", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -15219,6 +15467,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -15238,11 +15487,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.536\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: i.liadm.com\nQueryStatus: 0\nQueryResults: type: 5 idaas-production.us-east-1.elasticbeanstalk.com;::ffff:52.71.175.22;::ffff:52.71.208.229;::ffff:52.86.201.172;::ffff:52.7.6.198;::ffff:54.152.156.164;::ffff:54.152.56.202;::ffff:54.164.15.83;::ffff:52.86.191.75;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -15275,7 +15525,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -15286,9 +15535,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "191", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -15376,6 +15626,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -15395,11 +15646,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.544\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pixel.s3xified.com\nQueryStatus: 0\nQueryResults: ::ffff:67.231.251.189;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -15432,7 +15684,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -15443,9 +15694,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "192", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -15528,6 +15780,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -15547,11 +15800,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.550\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: router.infolinks.com\nQueryStatus: 0\nQueryResults: ::ffff:104.20.252.85;::ffff:104.20.253.85;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -15583,7 +15837,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -15594,9 +15847,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "193", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -15674,6 +15928,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -15693,11 +15948,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.552\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: grey.erne.co\nQueryStatus: 0\nQueryResults: ::ffff:94.23.171.206;::ffff:188.165.137.78;::ffff:87.98.128.108;::ffff:94.23.73.243;::ffff:94.23.144.220;::ffff:87.98.228.78;::ffff:188.165.27.173;::ffff:87.98.252.5;::ffff:188.165.4.142;::ffff:87.98.242.60;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -15728,7 +15984,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -15739,9 +15994,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "194", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -15829,6 +16085,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -15848,11 +16105,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.552\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync.jivox.com\nQueryStatus: 0\nQueryResults: ::ffff:54.243.145.203;::ffff:54.221.211.153;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -15885,7 +16143,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -15896,9 +16153,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "195", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -16190,6 +16448,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -16209,11 +16468,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.594\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: b1sync.zemanta.com\nQueryStatus: 0\nQueryResults: type: 5 b1-lsw-use1.zemanta.com;::ffff:207.244.121.25;::ffff:108.59.0.1;::ffff:162.210.196.115;::ffff:207.244.94.20;::ffff:108.59.0.12;::ffff:207.244.121.65;::ffff:162.210.199.69;::ffff:207.244.76.83;::ffff:162.210.197.137;::ffff:207.244.108.217;::ffff:207.244.121.137;::ffff:207.244.67.99;::ffff:198.7.56.229;::ffff:198.7.56.231;::ffff:108.59.4.172;::ffff:108.62.117.43;::ffff:108.59.4.171;::ffff:207.244.121.27;::ffff:207.244.71.67;::ffff:207.244.121.70;::ffff:199.58.84.25;::ffff:207.244.67.98;::ffff:162.210.196.116;::ffff:207.244.73.10;::ffff:207.244.110.3;::ffff:108.59.4.173;::ffff:108.59.0.8;::ffff:207.244.71.88;::ffff:207.244.121.73;::ffff:207.244.69.231;::ffff:108.59.0.2;::ffff:207.244.121.74;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;2001:502:1ca1::30;192.35.51.30;2001:503:d414::30;192.42.93.30;2001:503:eea3::30;192.54.112.30;2001:502:8cc::30;192.43.172.30;2001:503:39c1::30;192.48.79.30;2001:502:7094::30;192.5\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -16287,7 +16547,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -16298,9 +16557,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "196", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -16402,6 +16662,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -16421,11 +16682,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.619\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tg.socdm.com\nQueryStatus: 0\nQueryResults: type: 5 tg3.dr.socdm.com;::ffff:124.146.215.43;::ffff:202.241.208.53;::ffff:124.146.215.46;::ffff:202.241.208.52;::ffff:124.146.215.48;::ffff:124.146.215.45;::ffff:202.241.208.54;::ffff:124.146.215.47;::ffff:124.146.215.42;::ffff:124.146.215.44;::ffff:202.241.208.55;::ffff:202.241.208.56;192.5.6.30;2001:503:a83e::2:30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -16461,7 +16723,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -16472,9 +16733,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "197", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -16511,6 +16773,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -16530,11 +16793,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.620\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: prebid.adnxs.com\nQueryStatus: 0\nQueryResults: type: 5 prebid.appnexusgslb.net;::ffff:68.67.153.75;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -16557,7 +16821,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -16568,9 +16831,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "198", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -16615,6 +16879,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -16634,11 +16899,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.811\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ul1.dvtps.com\nQueryStatus: 0\nQueryResults: type: 5 tps.doubleverify.com;type: 5 tps-geo.dvgtm.akadns.net;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -16663,7 +16929,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -16674,9 +16939,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "199", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -16700,6 +16966,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -16719,11 +16986,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:08.912\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ul1.dvtps.com\nQueryStatus: 9701\nQueryResults: \nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -16742,7 +17010,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -16753,9 +17020,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "200", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -16796,6 +17064,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -16815,11 +17084,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.016\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tags.bluekai.com\nQueryStatus: 0\nQueryResults: type: 5 tags.bluekai.com.edgekey.net;type: 5 e13541.x.akamaiedge.net;::ffff:23.3.125.199;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -16843,7 +17113,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -16854,9 +17123,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "201", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -16944,6 +17214,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -16963,11 +17234,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.048\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: cdnjs.cloudflare.com\nQueryStatus: 0\nQueryResults: ::ffff:104.19.195.151;::ffff:104.19.199.151;::ffff:104.19.198.151;::ffff:104.19.197.151;::ffff:104.19.196.151;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -17000,7 +17272,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -17011,9 +17282,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "202", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -17101,6 +17373,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -17120,11 +17393,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.051\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: pixel.onaudience.com\nQueryStatus: 0\nQueryResults: ::ffff:85.194.243.23;::ffff:85.194.243.239;::ffff:85.194.240.137;::ffff:85.194.242.103;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -17157,7 +17431,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -17168,9 +17441,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "203", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -17211,6 +17485,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -17230,11 +17505,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.054\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: status.geotrust.com\nQueryStatus: 0\nQueryResults: type: 5 ocsp.digicert.com;type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -17258,7 +17534,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -17269,9 +17544,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "204", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -17353,6 +17629,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -17372,11 +17649,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.126\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.trust-provider.com\nQueryStatus: 0\nQueryResults: type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -17408,7 +17686,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -17419,9 +17696,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "205", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -17503,6 +17781,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -17522,11 +17801,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.184\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ocsp.comodoca4.com\nQueryStatus: 0\nQueryResults: type: 5 t3j2g9x7.stackpathcdn.com;::ffff:151.139.128.14;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -17558,7 +17838,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -17569,9 +17848,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "206", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -17652,6 +17932,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -17671,11 +17952,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.322\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: sync.crwdcntrl.net\nQueryStatus: 0\nQueryResults: type: 5 td.crwdcntrl.net;type: 5 nginx-bcp-stackB-428666447.us-east-1.elb.amazonaws.com;::ffff:52.4.111.14;::ffff:52.205.68.184;::ffff:52.0.28.154;::ffff:34.225.82.232;::ffff:18.213.13.245;::ffff:52.22.171.66;::ffff:52.207.199.229;::ffff:52.72.57.144;192.5.6.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -17707,7 +17989,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -17718,9 +17999,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "207", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -17790,6 +18072,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -17809,11 +18092,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:09.730\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: match.sync.ad.cpe.dotomi.com\nQueryStatus: 0\nQueryResults: type: 5 cpe.us.dotomi.weighted.com.akadns.net;type: 5 cpe.us.iad.dotomi.weighted.com.akadns.net;type: 5 iad04-convex.dotomi.com;::ffff:159.127.42.114;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -17843,7 +18127,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -17854,9 +18137,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "208", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -17897,6 +18181,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -17916,11 +18201,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:10.627\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tps10230.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -17944,7 +18230,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -17955,9 +18240,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "209", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -17998,6 +18284,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -18017,11 +18304,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:10.650\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: tps10221.doubleverify.com\nQueryStatus: 0\nQueryResults: type: 5 nycp-hlb.doubleverify.com;type: 5 nycp-hlb.dvgtm.akadns.net;::ffff:204.154.111.122;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -18045,7 +18333,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -18056,9 +18343,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "210", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -18140,6 +18428,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -18159,11 +18448,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:16.329\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: www.facebook.com\nQueryStatus: 0\nQueryResults: type: 5 star-mini.c10r.facebook.com;::ffff:31.13.71.36;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;192.12.94.30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -18195,7 +18485,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -18206,9 +18495,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "212", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -18261,6 +18551,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -18280,11 +18571,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:16.386\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: platform.twitter.com\nQueryStatus: 0\nQueryResults: type: 5 cs472.wac.edgecastcdn.net;type: 5 cs1-apr-8315.wac.edgecastcdn.net;type: 5 wac.apr-8315.edgecastdns.net;type: 5 cs1-lb-us.8315.ecdns.net;type: 5 cs491.wac.edgecastcdn.net;::ffff:192.229.163.25;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -18311,7 +18603,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -18322,9 +18613,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "213", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -18412,6 +18704,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -18431,11 +18724,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:16.482\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: syndication.twitter.com\nQueryStatus: 0\nQueryResults: ::ffff:104.244.42.8;::ffff:104.244.42.200;::ffff:104.244.42.136;::ffff:104.244.42.72;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;192.31.80.30;2001:500:856e::30;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -18468,7 +18762,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -18479,9 +18772,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "214", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -18518,6 +18812,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -18537,11 +18832,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:19.578\nProcessGuid: {FA4A0DE6-E8A9-5D2F-0000-001053699900}\nProcessId: 0\nQueryName: ade.googlesyndication.com\nQueryStatus: 0\nQueryResults: type: 5 pagead.l.doubleclick.net;::ffff:172.217.10.34;\nImage: C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a9-5d2f-0000-001053699900}", + "entity_id": "{FA4A0DE6-E8A9-5D2F-0000-001053699900}", "executable": "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 2736 @@ -18564,7 +18860,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -18575,9 +18870,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "215", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -18618,6 +18914,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -18637,11 +18934,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:34:31.219\nProcessGuid: {FA4A0DE6-E8A8-5D2F-0000-001094619900}\nProcessId: 0\nQueryName: iecvlist.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 ie9comview.vo.msecnd.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;\nImage: C:\\Program Files\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "entity_id": "{FA4A0DE6-E8A8-5D2F-0000-001094619900}", "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 356 @@ -18665,7 +18963,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -18676,9 +18973,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "216", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -18715,6 +19013,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -18734,11 +19033,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:39:02.752\nProcessGuid: {FA4A0DE6-B1A2-5D2F-0000-00106ACA0000}\nProcessId: 0\nQueryName: tsfe.trafficshaping.dsp.mp.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 tsfe.trafficmanager.net;::ffff:40.77.232.95;\nImage: C:\\Windows\\System32\\svchost.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", + "entity_id": "{FA4A0DE6-B1A2-5D2F-0000-00106ACA0000}", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", "pid": 844 @@ -18761,7 +19061,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -18772,9 +19071,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "220", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -18798,6 +19098,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -18817,11 +19118,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:39:20.413\nProcessGuid: {FA4A0DE6-B1A2-5D2F-0000-00106ACA0000}\nProcessId: 0\nQueryName: isatap.local.crowbird.com\nQueryStatus: 9003\nQueryResults: \nImage: C:\\Windows\\System32\\svchost.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-b1a2-5d2f-0000-00106aca0000}", + "entity_id": "{FA4A0DE6-B1A2-5D2F-0000-00106ACA0000}", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", "pid": 844 @@ -18840,7 +19142,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -18851,9 +19152,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "221", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -18874,6 +19176,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -18893,11 +19196,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:39:40.504\nProcessGuid: {FA4A0DE6-E9F7-5D2F-0000-001031039C00}\nProcessId: 0\nQueryName: puppet\nQueryStatus: 9003\nQueryResults: \nImage: C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e9f7-5d2f-0000-001031039c00}", + "entity_id": "{FA4A0DE6-E9F7-5D2F-0000-001031039C00}", "executable": "C:\\Program Files\\Puppet Labs\\Puppet\\sys\\ruby\\bin\\ruby.exe", "name": "ruby.exe", "pid": 676 @@ -18916,7 +19220,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -18927,9 +19230,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "230", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -18950,6 +19254,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -18969,11 +19274,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:40:40.433\nProcessGuid: {FA4A0DE6-B1A2-5D2F-0000-001016F70000}\nProcessId: 0\nQueryName: wpad\nQueryStatus: 9003\nQueryResults: \nImage: C:\\Windows\\System32\\svchost.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-b1a2-5d2f-0000-001016f70000}", + "entity_id": "{FA4A0DE6-B1A2-5D2F-0000-001016F70000}", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", "pid": 636 @@ -18992,7 +19298,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -19003,9 +19308,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "231", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -19050,6 +19356,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -19069,11 +19376,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:42:54.033\nProcessGuid: {FA4A0DE6-B1A3-5D2F-0000-00102F440100}\nProcessId: 0\nQueryName: v10.vortex-win.data.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 v10-win.vortex.data.microsoft.com.akadns.net;type: 5 geo.vortex.data.microsoft.com.akadns.net;type: 5 bn2.vortex.data.microsoft.com.akadns.net;::ffff:65.55.44.109;\nImage: C:\\Windows\\System32\\svchost.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", + "entity_id": "{FA4A0DE6-B1A3-5D2F-0000-00102F440100}", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", "pid": 1788 @@ -19098,7 +19406,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -19109,9 +19416,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "232", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -19148,6 +19456,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -19167,11 +19476,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:43:04.400\nProcessGuid: {FA4A0DE6-B1A3-5D2F-0000-00102F440100}\nProcessId: 0\nQueryName: settings-win.data.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 settingsfd-geo.trafficmanager.net;::ffff:20.36.218.63;\nImage: C:\\Windows\\System32\\svchost.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-b1a3-5d2f-0000-00102f440100}", + "entity_id": "{FA4A0DE6-B1A3-5D2F-0000-00102F440100}", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", "pid": 1788 @@ -19194,7 +19504,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -19205,9 +19514,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "233", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -19278,6 +19588,7 @@ "version": "1.12.0" }, "event": { + "action": "Dns query (rule: DnsQuery)", "category": [ "network" ], @@ -19297,11 +19608,12 @@ "log": { "level": "information" }, + "message": "Dns query:\nRuleName: \nUtcTime: 2019-07-18 03:49:51.154\nProcessGuid: {FA4A0DE6-E8A8-5D2F-0000-001094619900}\nProcessId: 0\nQueryName: c.urs.microsoft.com\nQueryStatus: 0\nQueryResults: type: 5 wd-prod-ss.trafficmanager.net;type: 5 wd-prod-ss-us-east-1-fe.eastus.cloudapp.azure.com;::ffff:40.121.17.79;192.5.6.30;2001:503:a83e::2:30;192.33.14.30;2001:503:231d::2:30;192.26.92.30;2001:503:83eb::30;\nImage: C:\\Program Files\\Internet Explorer\\iexplore.exe\nUser: %9", "network": { "protocol": "dns" }, "process": { - "entity_id": "{fa4a0de6-e8a8-5d2f-0000-001094619900}", + "entity_id": "{FA4A0DE6-E8A8-5D2F-0000-001094619900}", "executable": "C:\\Program Files\\Internet Explorer\\iexplore.exe", "name": "iexplore.exe", "pid": 356 @@ -19331,7 +19643,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2016", "event_id": "22", @@ -19342,9 +19653,10 @@ "id": 1684 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "234", + "task": "Dns query (rule: DnsQuery)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json index b9a4dad64b7c..f718c8506c2c 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json @@ -5,6 +5,7 @@ "version": "1.12.0" }, "event": { + "action": "File Delete archived (rule: FileDelete)", "category": [ "file" ], @@ -28,8 +29,9 @@ "log": { "level": "information" }, + "message": "File Delete archived:\nRuleName: -\nUtcTime: 2020-05-07 08:14:44.489\nProcessGuid: {42F11C3B-C36F-5EB3-2C07-290000000000}\nProcessId: 2184\nUser: VAGRANT-2012-R2\\vagrant\nImage: C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe\nHashes: MD5=199E1CF5B2250BD515ECCCF4CA686301,IMPHASH=D90D8C7812AEC8DA0FA173AFA1293AB2\nIsExecutable: true\nArchived: true", "process": { - "entity_id": "{42f11c3b-c36f-5eb3-2c07-290000000000}", + "entity_id": "{42F11C3B-C36F-5EB3-2C07-290000000000}", "executable": "C:\\Users\\vagrant\\.gvm\\versions\\go1.13.10.windows.amd64\\bin\\go.exe", "hash": { "md5": "199e1cf5b2250bd515ecccf4ca686301" @@ -61,7 +63,6 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "23", @@ -72,9 +73,10 @@ "id": 2360 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "612", + "task": "File Delete archived (rule: FileDelete)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -90,6 +92,7 @@ "version": "1.12.0" }, "event": { + "action": "File Delete archived (rule: FileDelete)", "category": [ "file" ], @@ -113,8 +116,9 @@ "log": { "level": "information" }, + "message": "File Delete archived:\nRuleName: -\nUtcTime: 2020-05-07 07:27:18.722\nProcessGuid: {42F11C3B-B2B6-5EB3-18AB-000000000000}\nProcessId: 776\nUser: NT AUTHORITY\\LOCAL SERVICE\nImage: C:\\Windows\\System32\\svchost.exe\nTargetFilename: C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat\nHashes: SHA1=115106F5B338C87AE6836D50DD890DE3DA296367\nIsExecutable: false\nArchived: true", "process": { - "entity_id": "{42f11c3b-b2b6-5eb3-18ab-000000000000}", + "entity_id": "{42F11C3B-B2B6-5EB3-18AB-000000000000}", "executable": "C:\\Windows\\System32\\svchost.exe", "hash": { "sha1": "115106f5b338c87ae6836d50dd890de3da296367" @@ -142,7 +146,6 @@ "name": "LOCAL SERVICE" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "23", @@ -153,9 +156,10 @@ "id": 2360 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "11", + "task": "File Delete archived (rule: FileDelete)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -171,6 +175,7 @@ "version": "1.12.0" }, "event": { + "action": "File Delete archived (rule: FileDelete)", "category": [ "file" ], @@ -193,8 +198,9 @@ "log": { "level": "information" }, + "message": "File Delete archived:\nRuleName: -\nUtcTime: 2020-05-12 06:48:27.084\nProcessGuid: {42F11C3B-4664-5EBA-91AE-000000000000}\nProcessId: 820\nUser: NT AUTHORITY\\SYSTEM\nImage: C:\\Windows\\system32\\svchost.exe\nTargetFilename: C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d\nHashes: MD5=5A9BDDF83BE530B481F0FD24DB28A6FF,IMPHASH=00000000000000000000000000000000\nIsExecutable: false\nArchived: true", "process": { - "entity_id": "{42f11c3b-4664-5eba-91ae-000000000000}", + "entity_id": "{42F11C3B-4664-5EBA-91AE-000000000000}", "executable": "C:\\Windows\\system32\\svchost.exe", "hash": { "md5": "5a9bddf83be530b481f0fd24db28a6ff" @@ -222,7 +228,6 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "23", @@ -233,9 +238,10 @@ "id": 1600 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "2243", + "task": "File Delete archived (rule: FileDelete)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json index e058bfb168df..a508af011f9d 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json @@ -5,6 +5,7 @@ "version": "1.12.0" }, "event": { + "action": "File Delete logged (rule: FileDeleteDetected)", "category": [ "file" ], @@ -28,8 +29,9 @@ "log": { "level": "information" }, + "message": "File Delete logged:\nRuleName: -\nUtcTime: 2022-01-24 05:12:34.328\nProcessGuid: {63A74932-A2B4-61EE-1B00-000000000700}\nProcessId: 1264\nUser: NT AUTHORITY\\LOCAL SERVICE\nImage: C:\\Windows\\System32\\svchost.exe\nTargetFilename: C:\\Windows\\ServiceState\\EventLog\\Data\\lastalive1.dat\nHashes: SHA256=A94808E7C66973B122F66EC6611019C745A9602F8E944F53635CAB58AEF35A79\nIsExecutable: false", "process": { - "entity_id": "{63a74932-a2b4-61ee-1b00-000000000700}", + "entity_id": "{63A74932-A2B4-61EE-1B00-000000000700}", "executable": "C:\\Windows\\System32\\svchost.exe", "hash": { "sha256": "a94808e7c66973b122f66ec6611019c745a9602f8e944f53635cab58aef35a79" @@ -56,7 +58,6 @@ "name": "LOCAL SERVICE" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_id": "26", @@ -67,9 +68,10 @@ "id": 3792 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "456", + "task": "File Delete logged (rule: FileDeleteDetected)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -85,6 +87,7 @@ "version": "1.12.0" }, "event": { + "action": "File Delete logged (rule: FileDeleteDetected)", "category": [ "file" ], @@ -108,8 +111,9 @@ "log": { "level": "information" }, + "message": "File Delete logged:\nRuleName: -\nUtcTime: 2022-01-24 05:12:51.031\nProcessGuid: {63A74932-3523-61EE-AF00-000000000700}\nProcessId: 1364\nUser: NT AUTHORITY\\SYSTEM\nImage: C:\\Windows\\system32\\svchost.exe\nTargetFilename: C:\\ProgramData\\Microsoft\\Windows\\DeviceMetadataCache\\OLDCACHE.000\nHashes: SHA256=D78FBF654D84DDF2CB4FE221F7D8B61E0DECDEE48A4687915E6E4A2296E2418B\nIsExecutable: false", "process": { - "entity_id": "{63a74932-3523-61ee-af00-000000000700}", + "entity_id": "{63A74932-3523-61EE-AF00-000000000700}", "executable": "C:\\Windows\\system32\\svchost.exe", "hash": { "sha256": "d78fbf654d84ddf2cb4fe221f7d8b61e0decdee48a4687915e6e4a2296e2418b" @@ -136,7 +140,6 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_id": "26", @@ -147,9 +150,10 @@ "id": 3792 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "457", + "task": "File Delete logged (rule: FileDeleteDetected)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json index 82c66715fdc1..506618a3fe76 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json @@ -5,6 +5,7 @@ "version": "1.12.0" }, "event": { + "action": "Registry value set (rule: RegistryEvent)", "category": [ "configuration", "registry" @@ -23,8 +24,9 @@ "log": { "level": "information" }, + "message": "Registry value set:\nRuleName: -\nEventType: SetValue\nUtcTime: 2020-05-05 14:57:40.589\nProcessGuid: {5B522F6E-77AE-5EB1-2C03-000000000800}\nProcessId: 0\nImage: C:\\Windows\\regedit.exe\nTargetObject: HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 1\nDetails: DWORD (0x00000004)\nUser: %9", "process": { - "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "entity_id": "{5B522F6E-77AE-5EB1-2C03-000000000800}", "executable": "C:\\Windows\\regedit.exe", "name": "regedit.exe", "pid": 6072 @@ -45,7 +47,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { @@ -59,9 +60,10 @@ "id": 876 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "2682", + "task": "Registry value set (rule: RegistryEvent)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -77,6 +79,7 @@ "version": "1.12.0" }, "event": { + "action": "Registry value set (rule: RegistryEvent)", "category": [ "configuration", "registry" @@ -95,8 +98,9 @@ "log": { "level": "information" }, + "message": "Registry value set:\nRuleName: -\nEventType: SetValue\nUtcTime: 2020-05-05 14:57:44.714\nProcessGuid: {5B522F6E-7554-5EB1-6D00-000000000800}\nProcessId: 0\nImage: C:\\Windows\\Explorer.EXE\nTargetObject: HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\nDetails: Binary Data\nUser: %9", "process": { - "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "entity_id": "{5B522F6E-7554-5EB1-6D00-000000000800}", "executable": "C:\\Windows\\Explorer.EXE", "name": "Explorer.EXE", "pid": 4320 @@ -117,7 +121,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { @@ -131,9 +134,10 @@ "id": 876 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "2686", + "task": "Registry value set (rule: RegistryEvent)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -149,6 +153,7 @@ "version": "1.12.0" }, "event": { + "action": "Registry value set (rule: RegistryEvent)", "category": [ "configuration", "registry" @@ -167,8 +172,9 @@ "log": { "level": "information" }, + "message": "Registry value set:\nRuleName: -\nEventType: SetValue\nUtcTime: 2020-05-05 14:57:44.714\nProcessGuid: {5B522F6E-77AE-5EB1-2C03-000000000800}\nProcessId: 0\nImage: C:\\Windows\\regedit.exe\nTargetObject: HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Key 2\nDetails: QWORD (0x00000000-0x00000005)\nUser: %9", "process": { - "entity_id": "{5b522f6e-77ae-5eb1-2c03-000000000800}", + "entity_id": "{5B522F6E-77AE-5EB1-2C03-000000000800}", "executable": "C:\\Windows\\regedit.exe", "name": "regedit.exe", "pid": 6072 @@ -189,7 +195,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { @@ -203,9 +208,10 @@ "id": 876 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "2687", + "task": "Registry value set (rule: RegistryEvent)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -221,6 +227,7 @@ "version": "1.12.0" }, "event": { + "action": "Registry value set (rule: RegistryEvent)", "category": [ "configuration", "registry" @@ -239,8 +246,9 @@ "log": { "level": "information" }, + "message": "Registry value set:\nRuleName: -\nEventType: SetValue\nUtcTime: 2020-05-05 14:57:46.808\nProcessGuid: {5B522F6E-7554-5EB1-6D00-000000000800}\nProcessId: 0\nImage: C:\\Windows\\Explorer.EXE\nTargetObject: HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\\ertrqvg.rkr\nDetails: Binary Data\nUser: %9", "process": { - "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "entity_id": "{5B522F6E-7554-5EB1-6D00-000000000800}", "executable": "C:\\Windows\\Explorer.EXE", "name": "Explorer.EXE", "pid": 4320 @@ -261,7 +269,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { @@ -275,9 +282,10 @@ "id": 876 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "2690", + "task": "Registry value set (rule: RegistryEvent)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -293,6 +301,7 @@ "version": "1.12.0" }, "event": { + "action": "Registry value set (rule: RegistryEvent)", "category": [ "configuration", "registry" @@ -311,8 +320,9 @@ "log": { "level": "information" }, + "message": "Registry value set:\nRuleName: -\nEventType: SetValue\nUtcTime: 2020-05-05 14:57:46.808\nProcessGuid: {5B522F6E-7554-5EB1-6D00-000000000800}\nProcessId: 0\nImage: C:\\Windows\\Explorer.EXE\nTargetObject: HKU\\S-1-5-21-1067164964-2079179834-2367582738-1000\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count\\HRZR_PGYFRFFVBA\nDetails: Binary Data\nUser: %9", "process": { - "entity_id": "{5b522f6e-7554-5eb1-6d00-000000000800}", + "entity_id": "{5B522F6E-7554-5EB1-6D00-000000000800}", "executable": "C:\\Windows\\Explorer.EXE", "name": "Explorer.EXE", "pid": 4320 @@ -333,7 +343,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { @@ -347,9 +356,10 @@ "id": 876 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "2691", + "task": "Registry value set (rule: RegistryEvent)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json index f03df6a6dfde..7f7531daa3fd 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json @@ -5,6 +5,7 @@ "version": "1.12.0" }, "event": { + "action": "Image loaded (rule: ImageLoad)", "category": [ "process" ], @@ -46,8 +47,9 @@ "log": { "level": "information" }, + "message": "Image loaded:\nRuleName: -\nUtcTime: 2020-10-28 02:39:26.374\nProcessGuid: {9F32B55F-D9DE-5F98-F006-000000000600}\nProcessId: 0\nImage: C:\\Windows\\System32\\dllhost.exe\nImageLoaded: C:\\Windows\\System32\\IDStore.dll\nFileVersion: 10.0.17763.1 (WinBuild.160101.0800)\nDescription: Identity Store\nProduct: Microsoft® Windows® Operating System\nCompany: Microsoft Corporation\nOriginalFileName: IdStore.dll\nHashes: SHA1=9955A1C071C44A7CEECC0D928A9CFB7F64CC3F93,MD5=C7C45610F644906E6F7D664EF2E45B08,SHA256=4808F1101F4E42387D8DDB7A355668BAE3BF6F781C42D3BCD82E23446B1DEB3E,IMPHASH=194F3797B52231028C718B6D776C6853\nSigned: true\nSignature: Microsoft Windows\nSignatureStatus: Valid\nUser: %16", "process": { - "entity_id": "{9f32b55f-d9de-5f98-f006-000000000600}", + "entity_id": "{9F32B55F-D9DE-5F98-F006-000000000600}", "executable": "C:\\Windows\\System32\\dllhost.exe", "name": "dllhost.exe", "pid": 5184 @@ -64,7 +66,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { @@ -84,9 +85,10 @@ "id": 4796 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "10685", + "task": "Image loaded (rule: ImageLoad)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json index 7747ccf46eba..02aa528e2297 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json @@ -5,6 +5,7 @@ "version": "1.12.0" }, "event": { + "action": "Process Create (rule: ProcessCreate)", "category": [ "process" ], @@ -22,13 +23,14 @@ "log": { "level": "information" }, + "message": "Process Create:\nRuleName: -\nUtcTime: 2020-10-27 20:00:14.320\nProcessGuid: {9F32B55F-7C4E-5F98-5803-000000000500}\nProcessId: 0\nImage: C:\\Windows\\System32\\notepad.exe\nFileVersion: 10.0.17763.475 (WinBuild.160101.0800)\nDescription: Notepad\nProduct: Microsoft® Windows® Operating System\nCompany: Microsoft Corporation\nOriginalFileName: NOTEPAD.EXE\nCommandLine: \"C:\\Windows\\system32\\notepad.exe\" \nCurrentDirectory: C:\\Users\\vagrant\\\nUser: VAGRANT\\vagrant\nLogonGuid: {9F32B55F-6FDD-5F98-E7C9-020000000000}\nLogonId: 0x0\nTerminalSessionId: 0\nIntegrityLevel: Medium\nHashes: SHA1=B6D237154F2E528F0B503B58B025862D66B02B73\nParentProcessGuid: {9F32B55F-6FDF-5F98-7000-000000000500}\nParentProcessId: 0\nParentImage: C:\\Windows\\explorer.exe\nParentCommandLine: C:\\Windows\\Explorer.EXE\nParentUser: %23", "process": { "args": [ "C:\\Windows\\system32\\notepad.exe" ], "args_count": 1, "command_line": "\"C:\\Windows\\system32\\notepad.exe\" ", - "entity_id": "{9f32b55f-7c4e-5f98-5803-000000000500}", + "entity_id": "{9F32B55F-7C4E-5F98-5803-000000000500}", "executable": "C:\\Windows\\System32\\notepad.exe", "hash": { "sha1": "b6d237154f2e528f0b503b58b025862d66b02b73" @@ -40,7 +42,7 @@ ], "args_count": 1, "command_line": "C:\\Windows\\Explorer.EXE", - "entity_id": "{9f32b55f-6fdf-5f98-7000-000000000500}", + "entity_id": "{9F32B55F-6FDF-5F98-7000-000000000500}", "executable": "C:\\Windows\\explorer.exe", "name": "explorer.exe", "pid": 4212 @@ -69,7 +71,6 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant", "event_data": { @@ -77,7 +78,7 @@ "Description": "Notepad", "FileVersion": "10.0.17763.475 (WinBuild.160101.0800)", "IntegrityLevel": "Medium", - "LogonGuid": "{9f32b55f-6fdd-5f98-e7c9-020000000000}", + "LogonGuid": "{9F32B55F-6FDD-5F98-E7C9-020000000000}", "LogonId": "0x2c9e7", "Product": "Microsoft® Windows® Operating System", "TerminalSessionId": "1" @@ -90,9 +91,10 @@ "id": 6876 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "20", + "task": "Process Create (rule: ProcessCreate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json index a8e3c1c18b76..fc4ca383715e 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json @@ -5,6 +5,7 @@ "version": "1.12.0" }, "event": { + "action": "Clipboard changed (rule: ClipboardChange)", "code": "24", "kind": "event", "module": "sysmon", @@ -19,8 +20,9 @@ "log": { "level": "information" }, + "message": "Clipboard changed:\nRuleName: -\nUtcTime: 2021-02-25 15:04:48.592\nProcessGuid: {9497D8D9-AA1B-602F-A600-000000001000}\nProcessId: 0\nImage: C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\nSession: 0\nClientInfo: user: DESKTOP-I9CQVAQ\\luks\nHashes: SHA256=7ADB1CF1A75973079C055F929573AE92557A8C0E5B0E38A6A5427E412FB73D59,IMPHASH=00000000000000000000000000000000\nArchived: true\nUser: %10", "process": { - "entity_id": "{9497d8d9-aa1b-602f-a600-000000001000}", + "entity_id": "{9497D8D9-AA1B-602F-A600-000000001000}", "executable": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", "hash": { "sha256": "7adb1cf1a75973079c055f929573ae92557a8c0e5b0e38a6a5427e412fb73d59" @@ -42,7 +44,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "DESKTOP-I9CQVAQ", "event_data": { @@ -57,9 +58,10 @@ "id": 6444 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "10757412", + "task": "Clipboard changed (rule: ClipboardChange)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json index 8ff7aca6af2c..6f410bb65c78 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json @@ -5,6 +5,7 @@ "version": "1.12.0" }, "event": { + "action": "Process Tampering (rule: ProcessTampering)", "category": [ "process" ], @@ -22,9 +23,9 @@ "log": { "level": "information" }, - "message": "Image is replaced", + "message": "Process Tampering:\nRuleName: -\nUtcTime: 2021-02-25 14:43:23.550\nProcessGuid: {9497D8D9-B78B-6037-6F13-000000001000}\nProcessId: 0\nImage: C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe\nType: Image is replaced\nUser: %7", "process": { - "entity_id": "{9497d8d9-b78b-6037-6f13-000000001000}", + "entity_id": "{9497D8D9-B78B-6037-6F13-000000001000}", "executable": "C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe", "name": "git.exe", "pid": 2628 @@ -33,9 +34,11 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "DESKTOP-I9CQVAQ", + "event_data": { + "Type": "Image is replaced" + }, "event_id": "25", "opcode": "Info", "process": { @@ -44,9 +47,10 @@ "id": 5080 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "10737797", + "task": "Process Tampering (rule: ProcessTampering)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json index 67e22fa17534..25ad7dde8578 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json @@ -5,6 +5,7 @@ "version": "1.12.0" }, "event": { + "action": "Sysmon config state changed", "category": [ "configuration" ], @@ -22,11 +23,11 @@ "log": { "level": "information" }, + "message": "Sysmon config state changed:\nUtcTime: 2019-03-18 16:57:37.933\nConfiguration: C:\\Users\\vagrant\\Downloads\\\"C:\\Users\\vagrant\\Downloads\\Sysmon.exe\" -i -n\nConfigurationFileHash: ", "user": { "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -40,9 +41,10 @@ "id": 4724 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "1", + "task": "Sysmon config state changed", "user": { "identifier": "S-1-5-21-3541430928-2051711210-1391384369-1001" }, @@ -55,6 +57,7 @@ "version": "1.12.0" }, "event": { + "action": "Sysmon service state changed", "category": [ "process" ], @@ -72,11 +75,11 @@ "log": { "level": "information" }, + "message": "Sysmon service state changed:\nUtcTime: 2019-03-18 16:57:38.011\nState: Started\nVersion: 9.01\nSchemaVersion: 4.20", "user": { "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -92,9 +95,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "2", + "task": "Sysmon service state changed", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -110,6 +114,7 @@ "version": "1.12.0" }, "event": { + "action": "Process Create (rule: ProcessCreate)", "category": [ "process" ], @@ -127,13 +132,14 @@ "log": { "level": "information" }, + "message": "Process Create:\nRuleName: \nUtcTime: 2019-03-18 16:57:37.949\nProcessGuid: {42F11C3B-CE01-5C8F-0000-0010C73E2A00}\nProcessId: 0\nImage: C:\\Windows\\Sysmon.exe\nFileVersion: 9.01\nDescription: System activity monitor\nProduct: Sysinternals Sysmon\nCompany: Sysinternals - www.sysinternals.com\nOriginalFileName: C:\\Windows\\Sysmon.exe\nCommandLine: C:\\Windows\\system32\\\nCurrentDirectory: NT AUTHORITY\\SYSTEM\nUser: {42F11C3B-6E1A-5C8C-0000-0020E7030000}\nLogonGuid: 0x3e7\nLogonId: 0x0\nTerminalSessionId: 0\nIntegrityLevel: SHA1=AC93C3B38E57A2715572933DBCB2A1C2892DBC5E\nHashes: {42F11C3B-6E1A-5C8C-0000-0010F14D0000}\nParentProcessGuid: 488\nParentProcessId: 0\nParentImage: C:\\Windows\\system32\\services.exe\nParentCommandLine: %22\nParentUser: %23", "process": { "args": [ "C:\\Windows\\Sysmon.exe" ], "args_count": 1, "command_line": "C:\\Windows\\Sysmon.exe", - "entity_id": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}", + "entity_id": "{42F11C3B-CE01-5C8F-0000-0010C73E2A00}", "executable": "C:\\Windows\\Sysmon.exe", "hash": { "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" @@ -145,7 +151,7 @@ ], "args_count": 1, "command_line": "C:\\Windows\\system32\\services.exe", - "entity_id": "{42f11c3b-6e1a-5c8c-0000-0010f14d0000}", + "entity_id": "{42F11C3B-6E1A-5C8C-0000-0010F14D0000}", "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", "pid": 488 @@ -173,7 +179,6 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -181,7 +186,7 @@ "Description": "System activity monitor", "FileVersion": "9.01", "IntegrityLevel": "System", - "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonGuid": "{42F11C3B-6E1A-5C8C-0000-0020E7030000}", "LogonId": "0x3e7", "Product": "Sysinternals Sysmon", "TerminalSessionId": "0" @@ -194,9 +199,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "3", + "task": "Process Create (rule: ProcessCreate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -212,6 +218,7 @@ "version": "1.12.0" }, "event": { + "action": "Process Create (rule: ProcessCreate)", "category": [ "process" ], @@ -229,6 +236,7 @@ "log": { "level": "information" }, + "message": "Process Create:\nRuleName: \nUtcTime: 2019-03-18 16:57:37.964\nProcessGuid: {42F11C3B-CE01-5C8F-0000-00102C412A00}\nProcessId: 0\nImage: C:\\Windows\\System32\\wbem\\unsecapp.exe\nFileVersion: 6.3.9600.16384 (winblue_rtm.130821-1623)\nDescription: Sink to receive asynchronous callbacks for WMI client application\nProduct: Microsoft® Windows® Operating System\nCompany: Microsoft Corporation\nOriginalFileName: C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding\nCommandLine: C:\\Windows\\system32\\\nCurrentDirectory: NT AUTHORITY\\SYSTEM\nUser: {42F11C3B-6E1A-5C8C-0000-0020E7030000}\nLogonGuid: 0x3e7\nLogonId: 0x0\nTerminalSessionId: 0\nIntegrityLevel: SHA1=6DF8163A6320B80B60733F9D62E2F39B4B16B678\nHashes: {42F11C3B-6E1B-5C8C-0000-00102F610000}\nParentProcessGuid: 560\nParentProcessId: 0\nParentImage: C:\\Windows\\system32\\svchost.exe -k DcomLaunch\nParentCommandLine: %22\nParentUser: %23", "process": { "args": [ "C:\\Windows\\system32\\wbem\\unsecapp.exe", @@ -236,7 +244,7 @@ ], "args_count": 2, "command_line": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding", - "entity_id": "{42f11c3b-ce01-5c8f-0000-00102c412a00}", + "entity_id": "{42F11C3B-CE01-5C8F-0000-00102C412A00}", "executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe", "hash": { "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" @@ -250,7 +258,7 @@ ], "args_count": 3, "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", - "entity_id": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", + "entity_id": "{42F11C3B-6E1B-5C8C-0000-00102F610000}", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", "pid": 560 @@ -278,7 +286,6 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -286,7 +293,7 @@ "Description": "Sink to receive asynchronous callbacks for WMI client application", "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", "IntegrityLevel": "System", - "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonGuid": "{42F11C3B-6E1A-5C8C-0000-0020E7030000}", "LogonId": "0x3e7", "Product": "Microsoft® Windows® Operating System", "TerminalSessionId": "0" @@ -299,9 +306,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "4", + "task": "Process Create (rule: ProcessCreate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -317,6 +325,7 @@ "version": "1.12.0" }, "event": { + "action": "Process terminated (rule: ProcessTerminate)", "category": [ "process" ], @@ -334,8 +343,9 @@ "log": { "level": "information" }, + "message": "Process terminated:\nRuleName: \nUtcTime: 2019-03-18 16:57:38.981\nProcessGuid: {42F11C3B-CDF4-5C8F-0000-0010E61E2A00}\nProcessId: 0\nImage: C:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe\nUser: %6", "process": { - "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010e61e2a00}", + "entity_id": "{42F11C3B-CDF4-5C8F-0000-0010E61E2A00}", "executable": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\Sysmon.exe", "name": "Sysmon.exe", "pid": 4616 @@ -344,7 +354,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "5", @@ -355,9 +364,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "5", + "task": "Process terminated (rule: ProcessTerminate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -373,6 +383,7 @@ "version": "1.12.0" }, "event": { + "action": "Process terminated (rule: ProcessTerminate)", "category": [ "process" ], @@ -390,8 +401,9 @@ "log": { "level": "information" }, + "message": "Process terminated:\nRuleName: \nUtcTime: 2019-03-18 16:57:38.981\nProcessGuid: {42F11C3B-CDF4-5C8F-0000-0010071E2A00}\nProcessId: 0\nImage: C:\\Users\\vagrant\\Downloads\\Sysmon.exe\nUser: %6", "process": { - "entity_id": "{42f11c3b-cdf4-5c8f-0000-0010071e2a00}", + "entity_id": "{42F11C3B-CDF4-5C8F-0000-0010071E2A00}", "executable": "C:\\Users\\vagrant\\Downloads\\Sysmon.exe", "name": "Sysmon.exe", "pid": 4648 @@ -400,7 +412,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "5", @@ -411,9 +422,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "6", + "task": "Process terminated (rule: ProcessTerminate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -429,6 +441,7 @@ "version": "1.12.0" }, "event": { + "action": "Process Create (rule: ProcessCreate)", "category": [ "process" ], @@ -446,6 +459,7 @@ "log": { "level": "information" }, + "message": "Process Create:\nRuleName: \nUtcTime: 2019-03-18 16:57:39.012\nProcessGuid: {42F11C3B-CE03-5C8F-0000-0010E9462A00}\nProcessId: 0\nImage: C:\\Windows\\System32\\wbem\\WmiPrvSE.exe\nFileVersion: 6.3.9600.16384 (winblue_rtm.130821-1623)\nDescription: WMI Provider Host\nProduct: Microsoft® Windows® Operating System\nCompany: Microsoft Corporation\nOriginalFileName: C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding\nCommandLine: C:\\Windows\\system32\\\nCurrentDirectory: NT AUTHORITY\\SYSTEM\nUser: {42F11C3B-6E1A-5C8C-0000-0020E7030000}\nLogonGuid: 0x3e7\nLogonId: 0x0\nTerminalSessionId: 0\nIntegrityLevel: SHA1=5A4C0E82FF95C9FB762D46A696EF9F1B68001C21\nHashes: {42F11C3B-6E1B-5C8C-0000-00102F610000}\nParentProcessGuid: 560\nParentProcessId: 0\nParentImage: C:\\Windows\\system32\\svchost.exe -k DcomLaunch\nParentCommandLine: %22\nParentUser: %23", "process": { "args": [ "C:\\Windows\\system32\\wbem\\wmiprvse.exe", @@ -453,7 +467,7 @@ ], "args_count": 2, "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding", - "entity_id": "{42f11c3b-ce03-5c8f-0000-0010e9462a00}", + "entity_id": "{42F11C3B-CE03-5C8F-0000-0010E9462A00}", "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", "hash": { "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" @@ -467,7 +481,7 @@ ], "args_count": 3, "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", - "entity_id": "{42f11c3b-6e1b-5c8c-0000-00102f610000}", + "entity_id": "{42F11C3B-6E1B-5C8C-0000-00102F610000}", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", "pid": 560 @@ -495,7 +509,6 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -503,7 +516,7 @@ "Description": "WMI Provider Host", "FileVersion": "6.3.9600.16384 (winblue_rtm.130821-1623)", "IntegrityLevel": "System", - "LogonGuid": "{42f11c3b-6e1a-5c8c-0000-0020e7030000}", + "LogonGuid": "{42F11C3B-6E1A-5C8C-0000-0020E7030000}", "LogonId": "0x3e7", "Product": "Microsoft® Windows® Operating System", "TerminalSessionId": "0" @@ -516,9 +529,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "7", + "task": "Process Create (rule: ProcessCreate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -538,6 +552,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -557,6 +572,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:47.847\nProcessGuid: {42F11C3B-0BAD-5C8C-0000-0010DFBC0000}\nProcessId: 924\nImage: C:\\Windows\\System32\\svchost.exe\nUser: NT AUTHORITY\\NETWORK SERVICE\nProtocol: udp\nInitiated: true\nSourceIsIpv6: true\nSourceIp: a00:20f:0:0:18a2:6e00:e0:ffff\nSourceHostname: \nSourcePort: 62141\nSourcePortName: \nDestinationIsIpv6: true\nDestinationIp: a00:203:3000:3000:3000:3000:3000:3300\nDestinationHostname: \nDestinationPort: 53\nDestinationPortName: domain", "network": { "community_id": "1:EQDBfI6vAylArTBQHY8kNmaweOA=", "direction": "egress", @@ -565,7 +581,7 @@ "type": "ipv6" }, "process": { - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "entity_id": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", "pid": 924 @@ -589,7 +605,6 @@ "name": "NETWORK SERVICE" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -600,9 +615,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "8", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -622,6 +638,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -641,6 +658,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.070\nProcessGuid: {42F11C3B-0BAD-5C8C-0000-0010DFBC0000}\nProcessId: 924\nImage: C:\\Windows\\System32\\svchost.exe\nUser: NT AUTHORITY\\NETWORK SERVICE\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 62141\nSourcePortName: \nDestinationIsIpv6: false\nDestinationIp: 10.0.2.3\nDestinationHostname: \nDestinationPort: 53\nDestinationPortName: domain", "network": { "community_id": "1:TXczQujzvcGYSvZ/CKEBu1p2riE=", "direction": "ingress", @@ -649,7 +667,7 @@ "type": "ipv4" }, "process": { - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "entity_id": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", "pid": 924 @@ -674,7 +692,6 @@ "name": "NETWORK SERVICE" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -685,9 +702,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "9", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -707,6 +725,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -726,6 +745,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.148\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nUser: VAGRANT-2012-R2\\vagrant\nProtocol: tcp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 1138\nSourcePortName: \nDestinationIsIpv6: false\nDestinationIp: 40.77.226.250\nDestinationHostname: \nDestinationPort: 443\nDestinationPortName: https", "network": { "community_id": "1:W2ZbP8nXMY+YAGYw2h/3Sa8Gu/w=", "direction": "egress", @@ -734,7 +754,7 @@ "type": "ipv4" }, "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", "pid": 1600 @@ -759,7 +779,6 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -770,9 +789,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "10", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -792,6 +812,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -811,6 +832,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.214\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nUser: VAGRANT-2012-R2\\vagrant\nProtocol: tcp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 1139\nSourcePortName: \nDestinationIsIpv6: false\nDestinationIp: 40.77.226.250\nDestinationHostname: \nDestinationPort: 443\nDestinationPortName: https", "network": { "community_id": "1:5MsyqYltV9KkhIFGPWiByzQqHDo=", "direction": "egress", @@ -819,7 +841,7 @@ "type": "ipv4" }, "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", "pid": 1600 @@ -844,7 +866,6 @@ "name": "vagrant" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -855,9 +876,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "11", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -877,6 +899,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -896,6 +919,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.250\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 10.0.2.255\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "network": { "community_id": "1:0p51df9oGzNph3fcneX2H8jXsag=", "direction": "egress", @@ -904,7 +928,7 @@ "type": "ipv4" }, "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "executable": "System", "pid": 4 }, @@ -928,7 +952,6 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -939,9 +962,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "12", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -962,6 +986,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -981,6 +1006,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.250\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 10.0.2.255\nSourceHostname: \nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 10.0.2.15\nDestinationHostname: vagrant-2012-r2.local.crowbird.com\nDestinationPort: 137\nDestinationPortName: netbios-ns", "network": { "community_id": "1:0p51df9oGzNph3fcneX2H8jXsag=", "direction": "ingress", @@ -989,7 +1015,7 @@ "type": "ipv4" }, "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "executable": "System", "pid": 4 }, @@ -1012,7 +1038,6 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -1023,9 +1048,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "13", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1045,6 +1071,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -1064,6 +1091,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.250\nProcessGuid: {42F11C3B-0BAD-5C8C-0000-0010DFBC0000}\nProcessId: 924\nImage: C:\\Windows\\System32\\svchost.exe\nUser: NT AUTHORITY\\NETWORK SERVICE\nProtocol: udp\nInitiated: true\nSourceIsIpv6: true\nSourceIp: fe80:0:0:0:e488:b85c:5262:ff86\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 55542\nSourcePortName: \nDestinationIsIpv6: true\nDestinationIp: ff02:0:0:0:0:0:1:3\nDestinationHostname: \nDestinationPort: 5355\nDestinationPortName: llmnr", "network": { "community_id": "1:4DSgubObvMEI9IKNWPDqltrux+k=", "direction": "egress", @@ -1072,7 +1100,7 @@ "type": "ipv6" }, "process": { - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "entity_id": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", "pid": 924 @@ -1097,7 +1125,6 @@ "name": "NETWORK SERVICE" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -1108,9 +1135,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "14", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1130,6 +1158,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -1149,6 +1178,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.250\nProcessGuid: {42F11C3B-0BAD-5C8C-0000-0010DFBC0000}\nProcessId: 924\nImage: C:\\Windows\\System32\\svchost.exe\nUser: NT AUTHORITY\\NETWORK SERVICE\nProtocol: udp\nInitiated: true\nSourceIsIpv6: true\nSourceIp: a00:20f:0:0:18a2:6e00:e0:ffff\nSourceHostname: \nSourcePort: 55542\nSourcePortName: \nDestinationIsIpv6: true\nDestinationIp: e000:fc:4300:6800:7200:6f00:6d00:6500\nDestinationHostname: \nDestinationPort: 5355\nDestinationPortName: llmnr", "network": { "community_id": "1:sejGGvgk92xTvKdzlFitndKqdWw=", "direction": "egress", @@ -1157,7 +1187,7 @@ "type": "ipv6" }, "process": { - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "entity_id": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", "pid": 924 @@ -1181,7 +1211,6 @@ "name": "NETWORK SERVICE" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -1192,9 +1221,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "15", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1214,6 +1244,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -1233,6 +1264,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.250\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 169.254.180.25\nSourceHostname: \nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 169.254.255.255\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "network": { "community_id": "1:yP71IXofOTWmF1LG760//yXa4Rk=", "direction": "egress", @@ -1241,7 +1273,7 @@ "type": "ipv4" }, "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "executable": "System", "pid": 4 }, @@ -1264,7 +1296,6 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -1275,9 +1306,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "16", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1297,6 +1329,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -1316,6 +1349,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.251\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: false\nSourceIsIpv6: false\nSourceIp: 169.254.255.255\nSourceHostname: \nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 169.254.180.25\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "network": { "community_id": "1:yP71IXofOTWmF1LG760//yXa4Rk=", "direction": "ingress", @@ -1324,7 +1358,7 @@ "type": "ipv4" }, "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "executable": "System", "pid": 4 }, @@ -1347,7 +1381,6 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -1358,9 +1391,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "17", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1380,6 +1414,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -1399,6 +1434,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.251\nProcessGuid: {42F11C3B-0BAD-5C8C-0000-0010DFBC0000}\nProcessId: 924\nImage: C:\\Windows\\System32\\svchost.exe\nUser: NT AUTHORITY\\NETWORK SERVICE\nProtocol: udp\nInitiated: true\nSourceIsIpv6: true\nSourceIp: fe80:0:0:0:616f:32fa:b04f:b419\nSourceHostname: \nSourcePort: 55717\nSourcePortName: \nDestinationIsIpv6: true\nDestinationIp: ff02:0:0:0:0:0:1:3\nDestinationHostname: \nDestinationPort: 5355\nDestinationPortName: llmnr", "network": { "community_id": "1:Zt/ImHlMNf4MciHXlRDkivgw2jY=", "direction": "egress", @@ -1407,7 +1443,7 @@ "type": "ipv6" }, "process": { - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "entity_id": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", "pid": 924 @@ -1431,7 +1467,6 @@ "name": "NETWORK SERVICE" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -1442,9 +1477,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "18", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1464,6 +1500,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -1483,6 +1520,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.251\nProcessGuid: {42F11C3B-0BAD-5C8C-0000-0010DFBC0000}\nProcessId: 924\nImage: C:\\Windows\\System32\\svchost.exe\nUser: NT AUTHORITY\\NETWORK SERVICE\nProtocol: udp\nInitiated: true\nSourceIsIpv6: true\nSourceIp: a9fe:b419:0:0:f880:2301:e0:ffff\nSourceHostname: \nSourcePort: 55717\nSourcePortName: \nDestinationIsIpv6: true\nDestinationIp: e000:fc:0:0:0:0:0:0\nDestinationHostname: \nDestinationPort: 5355\nDestinationPortName: llmnr", "network": { "community_id": "1:SHkoHfPFDYWai8qQBwIiRxvCPZw=", "direction": "egress", @@ -1491,7 +1529,7 @@ "type": "ipv6" }, "process": { - "entity_id": "{42f11c3b-0bad-5c8c-0000-0010dfbc0000}", + "entity_id": "{42F11C3B-0BAD-5C8C-0000-0010DFBC0000}", "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", "pid": 924 @@ -1515,7 +1553,6 @@ "name": "NETWORK SERVICE" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -1526,9 +1563,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "19", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1548,6 +1586,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -1567,6 +1606,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.264\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 40.77.226.250\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "network": { "community_id": "1:DI+g4BImhWaUwPmLEjdMMQVYPLs=", "direction": "egress", @@ -1575,7 +1615,7 @@ "type": "ipv4" }, "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "executable": "System", "pid": 4 }, @@ -1599,7 +1639,6 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -1610,9 +1649,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "20", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1632,6 +1672,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -1651,6 +1692,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:48.276\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 10.0.2.3\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "network": { "community_id": "1:okFVyky/zOY2Q0BATy37YsbiveA=", "direction": "egress", @@ -1659,7 +1701,7 @@ "type": "ipv4" }, "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "executable": "System", "pid": 4 }, @@ -1683,7 +1725,6 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -1694,9 +1735,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "21", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1716,6 +1758,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -1735,6 +1778,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:49.213\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 169.254.255.255\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "network": { "community_id": "1:ZHyFuF2PjubLSbAh4zRQIZHOZK8=", "direction": "egress", @@ -1743,7 +1787,7 @@ "type": "ipv4" }, "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "executable": "System", "pid": 4 }, @@ -1767,7 +1811,6 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -1778,9 +1821,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "22", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1800,6 +1844,7 @@ "version": "1.12.0" }, "event": { + "action": "Network connection detected (rule: NetworkConnect)", "category": [ "network" ], @@ -1819,6 +1864,7 @@ "log": { "level": "information" }, + "message": "Network connection detected:\nRuleName: \nUtcTime: 2019-03-18 16:57:49.218\nProcessGuid: {42F11C3B-6E19-5C8C-0000-0010EB030000}\nProcessId: 4\nImage: System\nUser: NT AUTHORITY\\SYSTEM\nProtocol: udp\nInitiated: true\nSourceIsIpv6: false\nSourceIp: 10.0.2.15\nSourceHostname: vagrant-2012-r2.local.crowbird.com\nSourcePort: 137\nSourcePortName: netbios-ns\nDestinationIsIpv6: false\nDestinationIp: 169.254.180.25\nDestinationHostname: \nDestinationPort: 137\nDestinationPortName: netbios-ns", "network": { "community_id": "1:r3C/WjbATNIislTQ0M+ySzwnuiw=", "direction": "egress", @@ -1827,7 +1873,7 @@ "type": "ipv4" }, "process": { - "entity_id": "{42f11c3b-6e19-5c8c-0000-0010eb030000}", + "entity_id": "{42F11C3B-6E19-5C8C-0000-0010EB030000}", "executable": "System", "pid": 4 }, @@ -1851,7 +1897,6 @@ "name": "SYSTEM" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "3", @@ -1862,9 +1907,10 @@ "id": 4492 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "23", + "task": "Network connection detected (rule: NetworkConnect)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1880,6 +1926,7 @@ "version": "1.12.0" }, "event": { + "action": "Process terminated (rule: ProcessTerminate)", "category": [ "process" ], @@ -1897,8 +1944,9 @@ "log": { "level": "information" }, + "message": "Process terminated:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.350\nProcessGuid: {42F11C3B-CCC6-5C8F-0000-001005082900}\nProcessId: 0\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nUser: %6", "process": { - "entity_id": "{42f11c3b-ccc6-5c8f-0000-001005082900}", + "entity_id": "{42F11C3B-CCC6-5C8F-0000-001005082900}", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", "pid": 4832 @@ -1907,7 +1955,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "5", @@ -1918,9 +1965,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "24", + "task": "Process terminated (rule: ProcessTerminate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1936,6 +1984,7 @@ "version": "1.12.0" }, "event": { + "action": "Process terminated (rule: ProcessTerminate)", "category": [ "process" ], @@ -1953,8 +2002,9 @@ "log": { "level": "information" }, + "message": "Process terminated:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.364\nProcessGuid: {42F11C3B-CCCC-5C8F-0000-0010E8272900}\nProcessId: 0\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nUser: %6", "process": { - "entity_id": "{42f11c3b-cccc-5c8f-0000-0010e8272900}", + "entity_id": "{42F11C3B-CCCC-5C8F-0000-0010E8272900}", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", "pid": 3208 @@ -1963,7 +2013,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "5", @@ -1974,9 +2023,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "25", + "task": "Process terminated (rule: ProcessTerminate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -1992,6 +2042,7 @@ "version": "1.12.0" }, "event": { + "action": "File creation time changed (rule: FileCreateTime)", "category": [ "file" ], @@ -2015,8 +2066,9 @@ "log": { "level": "information" }, + "message": "File creation time changed:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.387\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\fe823684-c940-49f2-a940-14b02cbafba9.tmp\nCreationUtcTime: 2019-03-18 16:52:04.980\nPreviousCreationUtcTime: 2019-03-18 16:57:52.387\nUser: %9", "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", "pid": 1600 @@ -2025,7 +2077,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -2040,9 +2091,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "26", + "task": "File creation time changed (rule: FileCreateTime)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2058,6 +2110,7 @@ "version": "1.12.0" }, "event": { + "action": "File creation time changed (rule: FileCreateTime)", "category": [ "file" ], @@ -2081,8 +2134,9 @@ "log": { "level": "information" }, + "message": "File creation time changed:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.417\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\162d4140-cfab-4d05-9c92-bca60515a622.tmp\nCreationUtcTime: 2019-03-18 16:52:04.980\nPreviousCreationUtcTime: 2019-03-18 16:57:52.402\nUser: %9", "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", "pid": 1600 @@ -2091,7 +2145,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -2106,9 +2159,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "27", + "task": "File creation time changed (rule: FileCreateTime)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2124,6 +2178,7 @@ "version": "1.12.0" }, "event": { + "action": "File creation time changed (rule: FileCreateTime)", "category": [ "file" ], @@ -2147,8 +2202,9 @@ "log": { "level": "information" }, + "message": "File creation time changed:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.417\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\1450fedf-ac4c-4e35-b371-ed5d3bbe4776.tmp\nCreationUtcTime: 2019-03-18 16:52:05.028\nPreviousCreationUtcTime: 2019-03-18 16:57:52.402\nUser: %9", "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", "pid": 1600 @@ -2157,7 +2213,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -2172,9 +2227,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "28", + "task": "File creation time changed (rule: FileCreateTime)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2190,6 +2246,7 @@ "version": "1.12.0" }, "event": { + "action": "File creation time changed (rule: FileCreateTime)", "category": [ "file" ], @@ -2213,8 +2270,9 @@ "log": { "level": "information" }, + "message": "File creation time changed:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.417\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\37ed32e9-3c5f-4663-8457-c70743e9456d.tmp\nCreationUtcTime: 2019-03-18 16:51:54.980\nPreviousCreationUtcTime: 2019-03-18 16:57:52.417\nUser: %9", "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", "pid": 1600 @@ -2223,7 +2281,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -2238,9 +2295,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "29", + "task": "File creation time changed (rule: FileCreateTime)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2256,6 +2314,7 @@ "version": "1.12.0" }, "event": { + "action": "Process terminated (rule: ProcessTerminate)", "category": [ "process" ], @@ -2273,8 +2332,9 @@ "log": { "level": "information" }, + "message": "Process terminated:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.433\nProcessGuid: {42F11C3B-CCAB-5C8F-0000-001064EB2700}\nProcessId: 0\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nUser: %6", "process": { - "entity_id": "{42f11c3b-ccab-5c8f-0000-001064eb2700}", + "entity_id": "{42F11C3B-CCAB-5C8F-0000-001064EB2700}", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", "pid": 2680 @@ -2283,7 +2343,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_id": "5", @@ -2294,9 +2353,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "30", + "task": "Process terminated (rule: ProcessTerminate)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2312,6 +2372,7 @@ "version": "1.12.0" }, "event": { + "action": "File creation time changed (rule: FileCreateTime)", "category": [ "file" ], @@ -2335,8 +2396,9 @@ "log": { "level": "information" }, + "message": "File creation time changed:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.433\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\nmmhkkegccagdldgiimedpiccmgmieda\\def\\ecb9c915-c4c2-4600-a920-f2bc302990a8.tmp\nCreationUtcTime: 2019-03-18 16:52:08.496\nPreviousCreationUtcTime: 2019-03-18 16:57:52.417\nUser: %9", "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", "pid": 1600 @@ -2345,7 +2407,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -2360,9 +2421,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "31", + "task": "File creation time changed (rule: FileCreateTime)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", @@ -2378,6 +2440,7 @@ "version": "1.12.0" }, "event": { + "action": "File creation time changed (rule: FileCreateTime)", "category": [ "file" ], @@ -2401,8 +2464,9 @@ "log": { "level": "information" }, + "message": "File creation time changed:\nRuleName: \nUtcTime: 2019-03-18 16:57:52.433\nProcessGuid: {42F11C3B-CCAA-5C8F-0000-0010B4E22700}\nProcessId: 1600\nImage: C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe\nTargetFilename: C:\\Users\\vagrant\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Storage\\ext\\gfdkimpbcpahaombhbimeihdjnejgicl\\def\\ee4a6e45-bffd-49f4-98ae-32aebcc890b5.tmp\nCreationUtcTime: 2019-03-18 16:52:05.339\nPreviousCreationUtcTime: 2019-03-18 16:57:52.417\nUser: %9", "process": { - "entity_id": "{42f11c3b-ccaa-5c8f-0000-0010b4e22700}", + "entity_id": "{42F11C3B-CCAA-5C8F-0000-0010B4E22700}", "executable": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe", "name": "chrome.exe", "pid": 1600 @@ -2411,7 +2475,6 @@ "id": "S-1-5-18" }, "winlog": { - "api": "wineventlog", "channel": "Microsoft-Windows-Sysmon/Operational", "computer_name": "vagrant-2012-r2", "event_data": { @@ -2426,9 +2489,10 @@ "id": 4516 } }, - "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}", "provider_name": "Microsoft-Windows-Sysmon", "record_id": "32", + "task": "File creation time changed (rule: FileCreateTime)", "user": { "domain": "NT AUTHORITY", "identifier": "S-1-5-18", diff --git a/x-pack/winlogbeat/module/testing.go b/x-pack/winlogbeat/module/testing.go index 21509f6c95e1..f1d38fceac82 100644 --- a/x-pack/winlogbeat/module/testing.go +++ b/x-pack/winlogbeat/module/testing.go @@ -33,7 +33,7 @@ import ( "github.com/elastic/elastic-agent-libs/transport/httpcommon" ) -var update = flag.Bool("update", true, "update golden files") +var update = flag.Bool("update", false, "update golden files") // Option configures the test behavior. type Option func(*params) From 15fae95dc90548844f482545101de69b463044b5 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 15 Jan 2025 12:08:02 +0100 Subject: [PATCH 15/20] Fix test for win2016 --- winlogbeat/tests/system/test_wineventlog.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/winlogbeat/tests/system/test_wineventlog.py b/winlogbeat/tests/system/test_wineventlog.py index 580d82989cfa..3320437bbedb 100644 --- a/winlogbeat/tests/system/test_wineventlog.py +++ b/winlogbeat/tests/system/test_wineventlog.py @@ -149,10 +149,9 @@ def test_read_unknown_event_id(self): "winlog.keywords": ["Classic"], }) - self.assertEqual( - "failed to get the event message string: failed in EvtFormatMessage:" - " The message resource is present but the message was not found in the message table.", - evts[0]["error.message"] + # we just check the prefix since the specific message changes depending on the windows version + self.assertTrue( + evts[0]["error.message"].startswith("failed to get the event message string: failed in EvtFormatMessage:") ) def test_read_unknown_sid(self): From 62ca5fd38d02e02f182f4d36dd7cb65d46e274eb Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 16 Jan 2025 14:08:57 +0100 Subject: [PATCH 16/20] fix github action --- .github/workflows/check-dev-tools.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/check-dev-tools.yml b/.github/workflows/check-dev-tools.yml index b835bf981242..b260a2ae8d4c 100644 --- a/.github/workflows/check-dev-tools.yml +++ b/.github/workflows/check-dev-tools.yml @@ -21,6 +21,10 @@ jobs: - uses: actions/setup-go@v5 with: go-version-file: .go-version + - name: Fix Code is not compatible with Python 3.12 + uses: actions/setup-python@v5 + with: + python-version: '3.10' - name: Run check/update run: | go install github.com/magefile/mage From 6dd9cf9891636dc0c8d89456cc2ba232adc8d6f2 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 16 Jan 2025 15:45:09 +0100 Subject: [PATCH 17/20] Update winlogbeat/sys/wineventlog/metadata_store_test.go Co-authored-by: Leszek Kubik <39905449+intxgo@users.noreply.github.com> --- winlogbeat/sys/wineventlog/metadata_store_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/winlogbeat/sys/wineventlog/metadata_store_test.go b/winlogbeat/sys/wineventlog/metadata_store_test.go index 1e6789b1d0b5..c8b420bc6794 100644 --- a/winlogbeat/sys/wineventlog/metadata_store_test.go +++ b/winlogbeat/sys/wineventlog/metadata_store_test.go @@ -41,6 +41,7 @@ func TestPublisherMetadataStore(t *testing.T) { defer s.Close() assert.NotEmpty(t, s.EventsByVersion) + assert.NotEmpty(t, s.EventsNewest) assert.Empty(t, s.EventFingerprints) t.Run("event_metadata_from_handle", func(t *testing.T) { From f2cab511ab43bf10de5300af80da8d975fbcd7ef Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 16 Jan 2025 15:55:44 +0100 Subject: [PATCH 18/20] simplify sysmon script --- .buildkite/scripts/install_sysmon.ps1 | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/.buildkite/scripts/install_sysmon.ps1 b/.buildkite/scripts/install_sysmon.ps1 index 7c4a6ea5af1e..7279ff2efb50 100644 --- a/.buildkite/scripts/install_sysmon.ps1 +++ b/.buildkite/scripts/install_sysmon.ps1 @@ -1,5 +1,6 @@ -$downloadUrl = "https://download.sysinternals.com/files/Sysmon.zip" +$downloadUrl = "https://live.sysinternals.com/Sysmon64.exe" $tempFolder = "$env:TEMP\SysmonDownload" +$sysmonPath = "$tempFolder\Sysmon64.exe" if (!(Test-Path $tempFolder)) { New-Item -ItemType Directory -Path $tempFolder @@ -26,7 +27,7 @@ function ParseErrorForResponseBody($Error) { try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - $result = Invoke-WebRequest -Uri $downloadUrl -OutFile "$tempFolder\Sysmon.zip" -UseBasicParsing + $result = Invoke-WebRequest -Uri $downloadUrl -OutFile $sysmonPath -UseBasicParsing } catch { $resp = ParseErrorForResponseBody($_) @@ -34,11 +35,7 @@ catch { exit 1 } -Write-Host "Sysmon.zip downloaded successfully." - -Expand-Archive -Path "$tempFolder\Sysmon.zip" -DestinationPath $tempFolder - -$sysmonPath = Get-ChildItem -Path "$tempFolder" -Filter "Sysmon64.exe" | Select-Object -ExpandProperty FullName +Write-Host "Sysmon64.exe downloaded successfully." if ($sysmonPath) { Start-Process -FilePath $sysmonPath -ArgumentList "-m" -Wait @@ -48,6 +45,4 @@ if ($sysmonPath) { Write-Host "Sysmon executable not found in the downloaded archive." } -# Clean up the downloaded file -Remove-Item -Path "$tempFolder\Sysmon.zip" Remove-Item -Path $tempFolder -Force -Recurse From 56d88e955f5f31fb2ded3ebf855531d1328743c3 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 20 Jan 2025 13:20:27 +0100 Subject: [PATCH 19/20] Add retries and simplify call --- .buildkite/scripts/install_sysmon.ps1 | 63 ++++++++++++++++--- .../x-pack/pipeline.xpack.winlogbeat.yml | 24 ++----- 2 files changed, 60 insertions(+), 27 deletions(-) diff --git a/.buildkite/scripts/install_sysmon.ps1 b/.buildkite/scripts/install_sysmon.ps1 index 7279ff2efb50..6c04c6536381 100644 --- a/.buildkite/scripts/install_sysmon.ps1 +++ b/.buildkite/scripts/install_sysmon.ps1 @@ -2,6 +2,43 @@ $downloadUrl = "https://live.sysinternals.com/Sysmon64.exe" $tempFolder = "$env:TEMP\SysmonDownload" $sysmonPath = "$tempFolder\Sysmon64.exe" +function Retry() +{ + param( + [Parameter(Mandatory=$true)][Action]$action, + [Parameter(Mandatory=$false)][int]$maxAttempts = 3 + ) + + $attempts=1 + $ErrorActionPreferenceToRestore = $ErrorActionPreference + $ErrorActionPreference = "Stop" + + do + { + try + { + $action.Invoke(); + break; + } + catch [Exception] + { + Write-Host $_.Exception.Message + } + + # exponential backoff delay + $attempts++ + if ($attempts -le $maxAttempts) { + Write-Host("Action failed. Waiting " + $retryDelaySeconds + " seconds before attempt " + $attempts + " of " + $maxAttempts + ".") + Start-Sleep 5 + } + else { + $ErrorActionPreference = $ErrorActionPreferenceToRestore + Write-Error $_.Exception.Message + } + } while ($attempts -le $maxAttempts) + $ErrorActionPreference = $ErrorActionPreferenceToRestore +} + if (!(Test-Path $tempFolder)) { New-Item -ItemType Directory -Path $tempFolder } @@ -25,15 +62,23 @@ function ParseErrorForResponseBody($Error) { } } -try { - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - $result = Invoke-WebRequest -Uri $downloadUrl -OutFile $sysmonPath -UseBasicParsing -} -catch { - $resp = ParseErrorForResponseBody($_) - Write-Host "$resp" - exit 1 -} +$attempts=1 +do +{ + $attempts++ + try { + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + $result = Invoke-WebRequest -Uri $downloadUrl -OutFile $sysmonPath -UseBasicParsing + break + } + catch { + $resp = ParseErrorForResponseBody($_) + Write-Host "$resp" + if ($attempts -gt 5) { + exit 1 + } + } +} while ($attempts -le 5) Write-Host "Sysmon64.exe downloaded successfully." diff --git a/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml b/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml index 818154eb7f18..d0ffd9fa89c9 100644 --- a/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml +++ b/.buildkite/x-pack/pipeline.xpack.winlogbeat.yml @@ -65,9 +65,7 @@ steps: - label: ":windows: x-pack/winlogbeat Win 2019 Unit Tests" key: "mandatory-win-2019-unit-tests" command: | - Push-Location -Path .buildkite/scripts - ./install_sysmon.ps1 - Pop-Location + .buildkite/scripts/install_sysmon.ps1 Set-Location -Path x-pack/winlogbeat mage build unitTest retry: @@ -94,9 +92,7 @@ steps: - label: ":windows: x-pack/winlogbeat: Win 2016 Unit Tests" command: | - Push-Location -Path .buildkite/scripts - ./install_sysmon.ps1 - Pop-Location + .buildkite/scripts/install_sysmon.ps1 Set-Location -Path x-pack/winlogbeat mage build unitTest key: "mandatory-win-2016-unit-tests" @@ -124,9 +120,7 @@ steps: - label: ":windows: x-pack/winlogbeat: Win 2022 Unit Tests" command: | - Push-Location -Path .buildkite/scripts - ./install_sysmon.ps1 - Pop-Location + .buildkite/scripts/install_sysmon.ps1 Set-Location -Path x-pack/winlogbeat mage build unitTest key: "mandatory-win-2022-unit-tests" @@ -159,9 +153,7 @@ steps: steps: - label: ":windows: x-pack/winlogbeat: Win 10 Unit Tests" command: | - Push-Location -Path .buildkite/scripts - ./install_sysmon.ps1 - Pop-Location + .buildkite/scripts/install_sysmon.ps1 Set-Location -Path x-pack/winlogbeat mage build unitTest key: "extended-win-10-unit-tests" @@ -189,9 +181,7 @@ steps: - label: ":windows: x-pack/winlogbeat: Win 11 Unit Tests" command: | - Push-Location -Path .buildkite/scripts - ./install_sysmon.ps1 - Pop-Location + .buildkite/scripts/install_sysmon.ps1 Set-Location -Path x-pack/winlogbeat mage build unitTest key: "extended-win-11-unit-tests" @@ -219,9 +209,7 @@ steps: - label: ":windows: x-pack/winlogbeat: Win 2019 Unit Tests" command: | - Push-Location -Path .buildkite/scripts - ./install_sysmon.ps1 - Pop-Location + .buildkite/scripts/install_sysmon.ps1 Set-Location -Path x-pack/winlogbeat mage build unitTest key: "extended-win-2019-unit-tests" From 27de21085b0b6845288aba00df5e2cc8cdf68a58 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 20 Jan 2025 13:40:26 +0100 Subject: [PATCH 20/20] Remove unused function --- .buildkite/scripts/install_sysmon.ps1 | 37 --------------------------- 1 file changed, 37 deletions(-) diff --git a/.buildkite/scripts/install_sysmon.ps1 b/.buildkite/scripts/install_sysmon.ps1 index 6c04c6536381..18d3db964a95 100644 --- a/.buildkite/scripts/install_sysmon.ps1 +++ b/.buildkite/scripts/install_sysmon.ps1 @@ -2,43 +2,6 @@ $downloadUrl = "https://live.sysinternals.com/Sysmon64.exe" $tempFolder = "$env:TEMP\SysmonDownload" $sysmonPath = "$tempFolder\Sysmon64.exe" -function Retry() -{ - param( - [Parameter(Mandatory=$true)][Action]$action, - [Parameter(Mandatory=$false)][int]$maxAttempts = 3 - ) - - $attempts=1 - $ErrorActionPreferenceToRestore = $ErrorActionPreference - $ErrorActionPreference = "Stop" - - do - { - try - { - $action.Invoke(); - break; - } - catch [Exception] - { - Write-Host $_.Exception.Message - } - - # exponential backoff delay - $attempts++ - if ($attempts -le $maxAttempts) { - Write-Host("Action failed. Waiting " + $retryDelaySeconds + " seconds before attempt " + $attempts + " of " + $maxAttempts + ".") - Start-Sleep 5 - } - else { - $ErrorActionPreference = $ErrorActionPreferenceToRestore - Write-Error $_.Exception.Message - } - } while ($attempts -le $maxAttempts) - $ErrorActionPreference = $ErrorActionPreferenceToRestore -} - if (!(Test-Path $tempFolder)) { New-Item -ItemType Directory -Path $tempFolder }